Software is ubiquitous, even in places you wouldn’t imagine.

Software is so seamlessly interwoven into the fabric of modern living that it fades into the background without notice. We interact with software not only on home or office computers, but in our routine everyday activities—as we drive to the office in our cars, as we buy things at the supermarket, as we withdraw cash from an ATM, and even when we listen to music or make a phone call.

Chapter 1 surveys the landscape of software failures due to bad security, bad design, and bad development practices. We’ll look at the increasing volume of vulnerabilities, the breadth of their exposure, and the depth of the problems they cause. Finally, we’ll examine the true costs of problematic software and begin to explore solutions related to people, process, and technology to end the chaos once and for all.

Software is not used just by a small cross section of the modern-day society—the entire population depends on it. Airlines, banks, telecommunications companies, hospitals, supermarkets, gas stations, voting infrastructures, and countless other institutions rely on software.

Automated teller machines (ATMs) make our lives easier—24×7 access, depositing checks or cash, drive-up access, and even postage stamp purchasing. As you witness people in checkout lines starting writing checks for their groceries, you may grow frustrated or impatient because you know that payment cards (debit and credit) take only a few seconds to complete a purchase, and you wonder why anyone bothers with checks or paper anymore.

At this stage of technological innovation, we’ve come to realize that software must not only function properly but also be available to us at all times and in all places so that we can continue to thrive in the digital ways of life to which we’ve grown accustomed.

When software and the networked devices that it runs on fail, we often can’t figure out what to do and begin to panic. Think of a typical Sunday morning: You’re shopping at your local neighborhood supermarket and the checkout lines stop because of a widespread system crash. What do you do? Abandon your cart and start over somewhere else? Stick around to see whether the problem is resolved soon? Wait for further instructions?

Now think about the same thing happening in an online store such as Amazon.com. Between the losses of revenue, the bad press they’re certainly likely to receive, the loss of shoppers’ confidence, and the eventual hit their stock prices will take, companies and organizations simply can’t afford to take a risk with unreliable software, yet they stake their businesses on it daily.

While we’d like to believe that software is as reliable as it needs to be, reality proves us wrong every time. Throughout this book, we’ll examine what makes software fragile, brittle, and resistant to reliability and resilience. What we refer to as software resilience is an adaptation of the National Infrastructure Advisory Council (NIAC) definition of infrastructure resilience:

The Computer Emergency Response Team (CERT) Program is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. The center was formed following the Morris worm incident, which brought roughly 10% of Internet systems to a complete halt back in 1988. The Defense Advanced Research Projects Agency (DARPA) established a mandate for the SEI to set up a center to coordinate communication among experts during computer security emergencies and to help prevent future incidents. Table 1.1 shows CERT statistics on the number of vulnerabilities it has cataloged since 1998. CERT has since stopped publishing these statistics, but it provides the historical data for research value.