Now let’s think about security. Of all the things going on, all the products out there, all the methodologies, security is always the special snowflake. For being so special you’d think we could get more right. If everything was fine, the Red Team wouldn’t win. every. single. time.
The reality is that until we stop treating security like some sort of special add on, we’re not going to see things make any real improvements. Think about any product you use, there are always things that are just an expected part of it. Security should fall under this category. Imagine if your car didn’t come with locks. Or if it had locks, but you had to cut your own keys before you could use them. What if every safe shipped with the same combination, if you wanted a new one you had to pay for it? There are a lot of things we just expect because they make sense.
I’m sure you get the idea I’m shooting for here. Today we treat security like something special. You have to buy a security solution if you want to be secure. Or you have to configure your product a certain way if you want it secure. If we want to really start solving security problems, we have to make sure security isn’t something special we talk about later, or plan to add in version two. It has to just be a part of everything. There aren’t secure options, all the options need to be what we would call “secure” today. The days of security as an optional requirement are long gone. Remember when we thought those old SSL algorithms could just stick around forever? Nobody thinks that anymore.
How are we going to fix this? That’s the real trick. It’s easy to talk about demanding security and voting with your pocketbook, but the reality is this isn’t very possible today. Security isn’t usually a big differentiator. If we expect security to just be part of everything, we also can’t expect anyone to see security as a feature they look for. How do we ensure there is a demand for something that is by definition a secondary requirement? How do we get developers to care about something that isn’t part of a requirement? How do we get organizations to pay for something that doesn’t generate revenue?
There are some groups trying to do the right thing here. I think almost everyone is starting to understand security isn’t a feature. Of course just because there’s some interest and people are beginning to understand doesn’t mean everything will be fixed quickly or easily. We have a long way to go still. It won’t be easy, it won’t be quick. It’s possible everything could go off the rails. The only thing harder than security is planning for security 🙂
Do you think you know how to fix this mess? Impress me with your ideas: @joshbressers