Software, in general, is very complex, and the more functionality that we attempt to push into apps and operating systems, the more complicated software will become. The more complicated software becomes, the difficult it is to predict properly how it will react in all possible scenarios, which makes it much harder to secure.
Recent operating systems and apps are growing in lines of code. Windows OS has about 40 million lines of code. Unix and Linux operating systems have much less, normally around 2 million LOC. A general estimate used in the industry is that there are between 5 to 50 bugs per 1,000 lines of code.
It is very hard to attempt to logically understand and secure all these lines of code, but the complexity does not stop there. The programming industry has grown from traditional programming languages to object-oriented languages (OOP), which allows for a modular approach to developing software. This approach has a lot of advantages: reusable elements, faster to market times, less time for programming, and easier methods to troubleshoot and update individual modules within the software.
But applications and operating systems use each other’s elements, users download various kinds of mobile code to extend functionality, DLLs are installed and shared, and instead of application-to-operating system communication, today many apps communicate directly with each other. The operating system cannot control this type of data flow and provide security against potential compromises.
If the software does not include 5–50 exploitable bugs within every 1,000 lines of code, it will be so easy to secure everything.
