What's the next tech problem to be solved in software security?

[wietse at porcupine.org (Wietse Venema)]

Kenneth Van Wyk:
> What do you think is the _next_ technological problem for the  
> software security community to solve?  PLEASE, let's NOT go down the  
> rat hole of senior management buy-in, use [this language], etc.  (In  
> fact, be warned that I will /dev/null any responses in this thread  
> that go there.)  So, what technology could/would make life easier for  
> a secure software developer?  Better source code analysis?  High(er)  
> level languages to help automate design reviews?  Better security  
> testing tools?  To any of these, *better* in what ways, specifically?

I've often said that programming should be a million times more
difficult, so that fewer people will be able to write code.

However, that is not the direction where things evolve. Instead,
more and more people, with less and less experience, will be
"programming" computer systems.

The challenge is to provide environments that allow less experienced
people to "program" computer systems without introducing gaping
holes or other unexpected behavior.

An example is the popular PHP language. Writing code is comparatively
easy, but writing secure code is comparatively hard. I'm working on
the second part, but I don't expect miracles.

The solution is likely to be a completely different programming
model. The spreadsheet is approaching its 30th birthday. That
is too long ago.

        Wietse