Not every software company has to deal with bugs as critical as the ones believed to have contributed to accidents involving Toyota cars, but one thing is becoming increasingly clear: Every software company ships products with hidden security defects. There are virtually no exceptions.
According to software testing service provider Veracode, which issued a report to coincide with this week's RSA Conference in San Francisco, nearly 60 percent of the software submitted to its security testing suite in the last 18 months failed the first round of tests. As Veracode's senior vice president of marketing Roger Oberg notes, these were applications from vendors who cared enough about security to use Veracode's services in the first place.
Veracode's data is not unique. Last year, a study by WhiteHat Security found that 82 percent of enterprise Websites had harbored at least one security flaw of "high, critical, or urgent" severity in recent history, and 63 percent still contained such bugs at the time of the survey.
Admittedly, studies by security consultancies are self-serving. Yet their findings should not be dismissed out of hand. You need only sift through the headlines to notice the frequency with which vulnerabilities are discovered in major software products from reputable vendors. Independent developers would be foolish to assume their own software is any different, simply for the fact that bugs are so difficult to avoid.
Developers play whack-a-mole
Don't assume that only the obscure, sophisticated bugs slip through the cracks, either. Each year, the SANS Institute and Common Weakness Enumeration (CWE), a government-sponsored security watchdog, publish a list of the 25 most widespread and dangerous programming errors. As in previous years, the 2010 list includes a few gotchas, such as unwittingly revealing security information in error messages or accepting unrestricted uploads of dangerous file types. But it's also chock-full of such rookie mistakes as race conditions, buffer overflows, and improper validation of array indices. These are timeless errors that date back to the dawn of programming; for them to still be widespread in 2010 is astounding.
And yet, evidence suggests that even acknowledged best practices can sometimes lead to bugs. In 2006, Google's Joshua Bloch blogged that he discovered a bug in the binary sort algorithm found in Jon Bentley's popular reference book, "Programming Pearls," first published in 1986. Bloch wasn't pointing the finger at Bentley, though; as it turned out, the binary search Bloch himself had written for the JDK contained the same bug, and his error had gone unnoticed for around nine years.
Can programmers do better? Software testing using services such as Veracode's can certainly help, but no such solution is perfect. In some cases, application architecture or choice of language can make thorough testing impractical.