The good guys are always at a disadvantage. It takes much more code to defend against bad actors than it does to write bad actors. I can write a malware program that can brick your computer with 30 assembly language instructions. It would probably take you at least 50,000 assembly language instructions to defend against the same.
3. Fuzzers are people, too
These days, fuzzers are used to tease out software vulnerabilities. Fuzzers -- or any programs that look for coding mistakes and vulnerabilities -- are written by people. Fuzzers didn't find that color attribute buffer overflow because they weren't written to look in that field. After the success of the exploit, the fuzzers were updated, and they now look in all sorts of fields for similar buffer overflow conditions. Fuzzers only do what we tell them to do.
4. Lack of vendor accountability
Many security experts complain that we'll never be more secure as long as we can't sue companies for software flaws. I agree that more company accountability would help decrease security risk, but increased legal liability would probably slow down progress. You would not be holding that cool little cellphone, have that near-weightless music player, or watching movies over the Internet if we could hold software companies more accountable than they already are.
Success is driven by features and speed, not security. We as a society have determined that we will trade safety and security for newness. That's not necessarily a bad thing -- we get ahead faster. But we have to live with the downsides of that trade-off. So far, we are willing to accept a lot of risk to get the cool new thing.
5. Lack of hacker accountability
The reality is that none of the above will get fixed anytime soon. But the software vulnerability itself isn't really the problem. It's the exploit of the vulnerability by those with malicious intent. As long as we let most hackers get away with murder, rampant hacking and malware will continue to plague us.
I still hold out hope that one day the Internet will be fixed, default pervasive identity will get baked in, and we can hold those who do us harm more accountable, as in the real world. Until that happens, we'll keep playing whack-a-mole defense and be barraged by constant software patches.
This story, "5 reasons why software bugs still plague us," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.