As networking spread and featureitis took hold, some systems werecompromised. The worst case was in 1988 when a graduate student atCornell University set off a worm on the ARPAnet that replicateditself to 6,000 hosts and brought down the network. At the time,events like that were the exception.

By 1996, the Internet supported 16 million hosts. Applicationsecurity - or, more specifically, the lack of it - turned exponentiallyworse. The Internet was a joke in terms of security, easilycompromised by dedicated attackers. Teenagers were cracking anythingthey wanted to: NASA, the Pentagon, the Mexican finance ministry. Theodd part is, while the world changed, software development did not. Itstuck to its features/deadlines culture despite the security problem.

Even today, the software development methodologies most commonly usedstill cater to deadlines and features, and not security. "We have areally smart senior business manager here who controls a large chunkof this corporation but hasn't a clue what's necessary for security,"says an information security officer at one of the largest financialinstitutions in the world. "She looks at security as, Will it cost mecustomers if I do it? She concludes that requiring complicated,alphanumeric passwords means losing 12 percent of our customers. Soshe says no way."