Security on the Internet is receiving increasing attention as more and more organizations are becoming dependent on the network. The use of the Internet for electronic commerce, government operations, research activities, and entertainment has now reached the point that attacks against the network and the systems connected to it have become major news items. While the press highlights a few high-profile incidents, the actual number of attacks is much higher. The CERT Coordination Center works with the Internet community to deal with incidents and responded to over 8,000 incidents in 1999. The incident projection for year 2000 is 17,000 to 20,000. At the same time, the amount of damage resulting from the incidents is also increasing. While the press often focuses on cases of web site graffiti, more serious cases of financial fraud, extortion, and debilitating denial of service attacks are being reported at increasing rates.

With rapid changes in technology, new products and applications appearing daily, and an explosion in the user population, it would be easy to believe that the security problems are a result of all of this change. Others theorize that attackers possess advanced technical skills and analytic capabilities and use these skills to discover and exploit subtle design flaws in systems and protocols. The incident data, however, suggests otherwise. The fact is, the vast majority of attacks are successful because of bugs in the programs: implementation errors that the software engineering community already knows how to avoid.

This presentation will provide an overview of the security problem, the rising costs of incidents, the vulnerabilities that are being exploited, and the need for the software engineering community to face and deal with the growing security problem.