Over the past few weeks I’ve been talking to a number of information security experts from government, academia and business. Their jobs involve finding new ways to keep data safe from attackers. And despite new tools, techniques and policies, their jobs continue to get more difficult.
Why? Nearly universally they pointed to complexity as one of the core causes. As software of all types gets more convoluted and involves more features, more interfaces and — by extension — more lines of code, it gets harder to adequately test for vulnerabilities.
The solution, according to these experts, is reducing complexity from the start: simpler software broken down into smaller, easier to manage components; single-purpose hardware running hardened, dedicated operating systems without all the extensions, ports and other holes commonly found in today’s “appliances” running this or that version of Linux, Unix or Windows.
Unfortunately, what they’re calling for is going to be hard to achieve. Rewriting most of today’s applications in the interest of making it easier to test for security holes would slow down development dramatically, and increase costs.
Writing single-purpose operating systems that require custom software is a thankless task, too.
The solution, it seems, is one I don’t call for very often — lawsuits. I’m not a big fan of the “If you don’t like it, sue” approach to life, but this is one case where it makes sense. No place else in our life do we accept such dismal performance as we do from information technology.
I’m still waiting for the big suit to happen — and it will. Some company is going to install buggy code, not get it patched, have a problem, and cost litigious shareholders millions. The shareholders will sue; the sued company will in turn sue its software vendor. And once those suits start, I expect they will be hard to turn off. Will it be good for the software industry? In the short term, probably not, as companies will need to start spending a fortune defending themselves instead of building new products. But if the result is better tools that are easier to defend, it will eventually lead to an upside for the IT community. An upside that we desperately need.