Why Software Remains Insecure—and Why It Really Shouldn't
In a recent blog post, Daniel Meissler theorizes that the benefits of quickly building bad software have so far outweighed the downsides. Though this sounds plausible and seductive, there is a more insidious picture being overlooked. Let me explain this from the perspective of an individual’s diet and health as an analogy.
Exotic, tasty, and calorie-dense foods delight the senses. They generate lots of dopamine and other feel-good chemicals that make you want to go back for more, especially as newer and more exotic dishes are created from all over the world, and are accessible without much difficulty. Yet, many of these foods are accompanied by risks of minor health problems.
These minor problems you experience when overindulging or eating the wrong kinds of foods—gas, heartburn, indigestion, occasional food-poisoning, etc.—are generally not so serious that you'd abstain from the foods entirely. So, perhaps for you, the benefits far outweigh the costs caused by occasional problems.
However, you also know that not all foods are safe all the time. Salmonella, hepatitis, diseased meat, mercury-laced fish, food allergies and more are a reality. You learn about this on the news, but don't worry about them very much because you don't see this happening often—and I'm sure you've realized by now that this is only because society has agreed to regulate the safety of food to the extent that it does.
But, what if there were no regulations? What if every food item came with hidden danger at all times? In small doses, this wouldn’t create a major problem, but with continuous abuse, systemic health problems would emerge. I'm sure you've heard of the link between high-fructose corn syrup and diabetes, trans-fats and cholesterol, or even alcohol and addiction. All of these items in moderation don't automatically lead to their negative counterpart.
Now look around you. The US has the highest percentage of obese people in the world. Not only do other Organisation for Economic Co-operation and Development (OECD) countries have rising levels of obesity, but even third-world countries are starting to show signs of this problem. Think about all the costs this imposes on society: illness, out-of-control healthcare costs, lost productivity, food waste, depression, etc.
Security is a discipline that is necessary to achieve balance, like exercise and a healthy diet. While it doesn't guarantee happiness or a perfect life, it does not rob you of your potential to achieve what you want. In fact, consistently striving for better security builds confidence because it reflects a sense of control that comes from knowledge and awareness of your environment. A lack of security is the equivalent of continuous attacks on your system, leading to "death by a thousand cuts." Each blow is irrelevant, but collectively—as trust is eroded by every cut—it adds up until the system cannot cope and it implodes.
The internet is one of the most marvelous creations of humankind. It enables people from around the world to come together, to discover, learn, collaborate, understand and to achieve things that were formerly impossible without this level of connectivity and communication. Every single one of the computing creations that could be qualified as calorie-dense, exotic, and tasty provides a benefit, but without the right level of security, trust is eroded one cut at a time.
Hundreds of billions, perhaps trillions, of dollars have been invested in taking business processes to the internet. The cloud, for example, is a wonderful, enabling, accessible tool. Without adequate security and some self-imposed moderation on how services on the internet are used, those investments will be wasted. We haven't had this technology long enough (just 25+ years) to understand its long-term consequences, but we're already seeing its effects as non-democratic nations use these weaknesses to destabilize democratic ones.
If one individual dies of excess, the world moves on. But, if democracy dies for lack of security and the trust it engenders, what do you have left?