Sep 25 2014

“All we need to do is …. redo everything”

Published by at 10:04 pm under General,Risk,Simple Security

I love listening to idealists.  In fact, I’d be one if it wasn’t for the crushing despair and cynicism that working in the security profession has instilled in me.  Or maybe I work in this field because the crushing despair and cynicism already existed.  In either case, I’ve lost the ability to even think “we could just fix all of our security problems if we just …”.  And when I see others saying the same thing, I have to shake my head in amusement at their naivete.  But it really makes me wonder when I see someone who’s been in security even longer than I have say those words.  Especially when it’s someone like Ivan Ristic.

Ivan is arguing in his post that all we need to do is create tools and languages that don’t allow XSS or SQL injection and the world will be a better place.  He’s right, but the very next thing is admit how unlikely this is in the real world.  Such languages and tools would be a wonder to behold, but they’d kill backwards compatibility.  If you’ve ever worked in a web server farm, you know this just isn’t going to happen.  Actually, if you’ve worked in any aspect of IT, you know that killing anything by not supporting backwards compatibility is nearly impossible.  Even if there’s only one user who’d be affected by it, the powers that be simply won’t let anyone who might give them a few cents more be left behind.

We live in a real world, however surreal it might sometimes feel.  The problems in security are big, complex and ugly.  There are simple solutions, such as what Ivan’s suggesting, but the problem with simple solutions is that they come at a high price.  We’re not going to get programming languages that don’t let developers create security holes, because sometimes that’s the easiest way for them to get their jobs done.  We might get away with it if we introduce tools that make it easier to program securely then slowly close the holes that allow for insecure coding.  But this is a solution that’s going to be decades in the making, not overnight.

There is no “All we need to do is…” in security.  It’s always more complex than it first seems.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to ““All we need to do is …. redo everything””

  1. jmcbootson 26 Sep 2014 at 6:59 am

    There will come a time… In the not to distant future I suspect too… That the cost of poor security practices will overwhelm the desire for backwards compatibility.

    We will rebuild our infrastructures and there will be much pain.

    But good security practices will overcome and the world will be a better more secure place.

    Then some new hacks will come around and make the whole effort moot.


  2. Scott Wrighton 27 Sep 2014 at 3:46 am

    Great observations, Martin. I shared this on my LinkedIn feed.

    I’d just add that I feel marginally less depressed when people with a nice, simple idea go the extra 73 miles and detail a vision that includes a realistic set of steps to get there, and then start a real movement in that direction (e.g set up a wiki and co-opt some thought leaders, and maybe funding to get the momentum going in that direction). But that takes more effort than writing a blog post, and provides no guaranteed success – or even sense of achievement – so it rarely happens.


  3. […] Network Security Blog: ““All we need to do is …. redo everything”” Visit Source […]

%d bloggers like this: