Why isn’t software secure?

One of the most worrying common traits of software development is that security is left out because of cost! This results in much of the software we use today will have vulnerabilities, in fact dare we say that all software we use will have vulnerabilities.

To take this even further we need to be concerned with system security, which comes hand in hand with the specifics of issues with an item of software being secure.

In this post we will try to provide an answer which comes from a different angle rather than focus on the difficulties of software development and the technical challenges, differing operating systems and compilation conundrums which are of the utmost importance, but rather on the lateral causes.

Humans makes mistakes

Well there is probably no surprise there?  And obviously a software developer is bound to make some errors when writing many lines of code. This is true, but how many mistakes are more importantly made in the conceptual phase. On the project drawing board, or in the perception of risk vs. reward as a solution is under preparation.

It is the general project mentality that is the focus of this post. We won’t concern ourselves with security products, Microsoft hotfixes or the availability of zero day exploits. Whilst these are important, we believe the normal day-to-day software, which is not deemed as a security release, is more worthy of focus because this is what builds up the portfolio of applications that form the COE (Common Operating Environment) or corporate build.

Often the need to get things out of the door from a project perspective is greater than the immensity of the technical task.

In order to ensure deadlines and milestones are achieved corners will be cut and often the results are a trade off.  We reduce testing, lose a version, de-scope certain elements. It is this process that leads to problems that are found later as releases contain flaws or elements combine to cause a set of events, which expose a weakness.

It is instinct that drives the human mind to look for the best possible outcome. Any constraint will lead to a reduction in quality elsewhere. We accept this in order to get the job done.

The needs of the many outweigh the needs of the few

In an ideal world a new system would have prototypes, many rounds of testing, back to the drawing board and more prototypes and testing.  In the reality of the world of fast paced software development these often get paid little more than lip service., with the expectation that the product will be fit for purpose with a minimal understanding of the risks at stake.

A solution design may be technically perfect but when we visit the cost centre and strategic vision centre we often tend to dilute the solution to make it fit within these. This is often due to the fact that we don’t want to rock boat with either the client or the senior management teams involved.

You get what you pay for

We all want a service as fast as possible and as cheap as possible, and often there will be hell to pay for if an error occurs. The human mind does not comprehend the fact that if you continuously try to reduce cost of something quality will suffer.  The current economic crisis is testament to this fact, that in an attempt to increase the yield from investments the quality of the investments became fatally flawed. We are all now running round like headless chickens looking for solutions to solve a crisis that should never have been allowed to happen. With the right Risk Mitigation strategies and due diligence weaknesses in the investments should have been uncovered, but unfortunately greed got in the way and corners where cut, and the results speak for themselves.

The idealistic perfect software does exist but it is not in the project budget in most cases. The first thing to go when cutting costs is security. Unfortunately it’s one of the areas that costs a lot, but offers no direct reward or gain perceived by the business.