The subject of software security has never been particularly uplifting, but it seems to be getting more depressing as software underpins more and more aspects of our lives. Managing routine vulnerabilities and dealing with massive system failures are costly activities, and the forecast is for higher costs. It is a conundrum that boggles some of the best minds in the business.

In a guest editorial at ZDNet, Google security researcher Michal Zalewski takes a harsh view of the industry's track record in evaluating software security. "[F]or several decades, we have in essence completely failed to come up with even the most rudimentary, usable frameworks for understanding and assessing the security of modern software," he writes.

Zalewski argues that industry and experts have been primarily reactive, focusing on managing vulnerabilities and detecting malware. Enterprises have come to put their hopes in risk management, which takes resources away from trying to understand and contain the problems. Risk management "introduces a dangerous fallacy: That structured inadequacy is almost as good as adequacy, and that underfunded security efforts plus risk management are about as good as properly funded security work," Zalewski writes.  

Security issues are going to get worse as information technology becomes a more integral part of everyday life, warns Andreas M. Antonopoulos in a post at NetworkWorld. With the increased use of mobile devices, automotive computing and the smart grid will come more security concerns and more controls. "Up to now, we've worried about computers messing with our money. Now we can add to that the worry of computers tracking our location, killing our power and crashing our cars," Antonopoulos writes. "As a security professional I am simultaneously appalled and hopeful for my job security."

For more:
- see Michal Zalewski's editorial at ZDNet
- see Andreas M. Antonopoulos' column at NetworkWorld

Related articles:
-Security firm: Microsoft issued silent patches last month
-Orbitz CISO's advice on managing vulnerabilities