Computer security problems have existed since the dawn of the digital computer era. Site security - the control over the knowledge of the site and access to the site in which the computer was located - was the principle concern before computers could be accessed remotely and have data electronically transferred from computer to computer. Site security remains an important portion of the overall set of computer security issues but since has been joined by various other issues. Routine remote access to computers has made unauthorized access much easier to achieve.
Today, it should be taken for granted that any computer that is accessible from any public network - particularly the Internet - is a likely target for hackers. Routine transfers of data between computers also have facilitated both unauthorized access and the spread of malicious software. Even computers that are isolated from networks are vulnerable to infection by malicious software on portable storage devices (Adams 2000). These problems, together with the increasing dependence on computers during both routine and critical activities, have made it necessary to focus additional effort toward combating computer security problems.
Site security and hardware support for security still are valid and important areas of study. They generally are beyond the scope of an academic computer science study of computer security, though. Instead, this study focuses on the computer security problems related to and addressable by computer software. Whether by errors in design and coding or by user-perceived shortcomings in features and usability, all non-trivial software is imperfect (Bailey 2008), even trivial software, such as a throwaway developmental prototype program or even a simple “Hello World!” program, can be considered a potential security problem if it either can grant unauthorized access or can deny authorized access due to abuse or even just excessive use. Indeed, all non-trivial computer software is a potential security problem and even some trivial software can be a potential security problem, while careful, skilled, and extensive testing may find some problems, testing rarely ever will locate all problems in a real world program (Bishop 2005).
Software development, like so many other fields of business, operates under management imposed priorities and constraints. Historically, for many projects, the priorities have been features and time-to-market. Constraints upon budgets and staffing have limited the work on the aspects of projects which management considerers to be of lesser priority. Security too frequently is given such a (lesser) priority. This is because security commonly is analyzed by management using a Return-On-Investment prioritization system. Significant investments in security may not seem to yield an obvious return on the investment required to create them unless someone invests even more time and resources by reviewing log records regularly and reporting their findings to management. A better model for setting the priority on security might be to consider security like an insurance policy. Any good business manager knows that a sufficient level of insurance is a necessity. Attempting to operate a business without sufficient insurance may be possible for some period of time; however, when ...