Is there anything to fear from hackers using higher-quality software development methods to produce exploits?
Exploits don’t really need to be high quality. If you write a rootkit, it better be high quality. You can’t take control of the operating system and cause it to crash; you’ll get noticed. The people who really need to pay attention to software quality are not the attackers, it’s the people writing software. Then there are different types of hackers plain hackers, criminals, information warfare professionals. Can hackers be identified by the design and implementation of their exploits, such as industrial espionage, government-sponsored information warfare, etc.? I’m not an expert here. But there are exploit kits, especially for things like viruses and worms, and you can, in theory, do historical forensics on the origins of exploits. What are the economics of investing in software quality and security early in the design phase, in terms of things like reduced support costs, security exposure, reduced patches and higher performance? Barry Boehm, a famous software security guru at USC, did
