: Disputing Gates"> Many security experts dispute Gates assessment of the problem. They counter that common vulnerabilities, such as buffer overruns, are the end product of a marketplace that demands features and functionality above all else and inevitably rewards vendors that produce inexpensive, easy-to-use software. "Why is [it] that we have to pretend that everyone is nice and honorable and tries to do the best all the time? I would say that Bill Gates is lying," said Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., in Cupertino, Calif. "He knows that vulnerabilities are mistakes made by programmers. They are mistakes in specifications and mistakes in coding. They are the result of a focus on features rather than security."That may change in the coming years as the focus on national security trickles down to the university level. But for now, there is little optimism. "The marketplace hasnt stopped. There will always be pressure to add new features," said Gene Spafford, professor of computer science at Purdue University, in West Lafayette, Ind., and a well-known expert on information security. "As we add more features, the problem will get worse; not linearly but probably exponentially. Theres no design specifications, no quality control. Theres a point at which you have to stop slapping Band-Aids on it and say theres something wrong here." And because many vendors continue to use their old code base as the foundation for upgrades as well as new products, the existing problems are bound to get worse before they get better, Spafford said. "Theres a huge quantity of code out there that was badly designed, and until that code is replaced, well continue to have problems," Spafford said. "There are technologies out there that build better software, but it requires training. Most vendors write in C and C++ because theyre cheaper and they can reuse a lot of their code. If I produce a student who knows how to write really sound code in Modula-3, whos going to employ them?" Related stories:
Survey: IT Embracing Security Whos Watching Whom? Security: Time to Take Names, Lay Blame Security Quandary: Whos Liable? Ignorance: The Hackers Best Friend Trail of Destruction: The History of the Virus
Proposal Calls for Quick Response to Flaw Discoveries More Security Coverage
Others say the problem begins with poorly trained developers working on projects with no formal design specifications and little direction aside from getting it out the door as quickly as possible. The government should also share some of the responsibility for the continued increase in software vulnerabilities, as it has done little to fund research or education in information security, experts say.