Open any tech news aggregator and chances are, one-third of all news will be security-related. What we are seeing right now is insane raise of awareness to cyber security, dictated by security threats suddenly turning looming on the horizon to dangerously close to anybody on the Internet.
It is not your typical buzzword market fad, where everyone suddenly gets interested in next exciting topic in the development of modern tech, looking for ‘wild opportunities’. It’s an organic reaction of fear: attackers grow equipped better every year, attacks grow in number and sophistication. They will not go away unless industry learns how to deal with them. And there's nobody to blame - every engineer, every hardware manufacturer contributes to global, interconnected landscape, where your coffee machine might be another asset in a botnet built to attack the core infrastructure of Internet.
Financial incentives are as strong as ever before,- but also attackers now have an ecosystem, developing over the years into multi-billion underworld industries around sponsoring vulnerability research, supplying malicious technology, laundering criminally generated profits.
There’s another factor to it: dozens of new languages, virtualization techniques, programming paradigms, a new package manager for front-end coming out every week - developers are busy keeping up with the development of new, fancier techniques. Frequently, at cost of common sense and traditional knowledge.
Now add pressure to deliver quicker, more scalable products instantly aimed at the global market.
No wonder building proper security instrumentation just feels so much like
“It’s too hard, shouldn't programming be fun?”
“Couldn’t you guys just write us a checklist of things we have to do?”.
No. Traders in Wild America had a list of ‘guns, ammunition, and men capable of operating them with a brave heart and cold brain’. That didn’t stop the crime happening. Laws, infrastructure and well-established practices and protocols do.
Right now, it’s only your toaster running DoS on core infrastructure of the Internet.
Some of bigger companies will be fine: they can afford hiring cryptographers, security engineers and ensuring the high level of internal coding culture to actually build safe products. They’ve already built strong walls outside their infrastructures, and strong security culture inside.
But what happens, if your product is not within Google’s infrastructure or not under the tight supervision of security engineers?
Sooner or later, every sane customer will base their decisions on “will my data be secure and private, will the service damage me in one way or another if being compromised”. And they will not wait until the breach occurs to migrate to a safer place: soon enough, everybody sane enough would either be questioning your security before choosing the services you offer or rely on some industrial certification or expert opinion.
This already happened in many spheres of human activities in history, so your regular Internet service or mobile app is no exclusion.
Making forecasts is a bad game: we don’t know how much we actually don’t know. But human choice frequently repeats itself, and there are certain plateaus in any change. Whenever it comes,- it settles on efficient compromises:
Large companies will use the Internet as a network to connect their highly-secure walled gardens.
Companies who rely on the Internet to connect to their customers will do so in a very controlled manner.
The rest will become a playground for criminals, botnets, spam relays or will get naturally out-regulated by the market choice.
The rest of us will populate much less secure Internet, where default expected outcome is similar to reults of going out to grab a beer in Brazilian favela at night. And, willingly or not, we will not only harm us or our clients,- but instantly become relay for hundreds of attacks going in any direction, contributing to the mess and amplifying it.
First of all, it’s important to understand that proper development approaches, engineering culture and a decent level of interest in how your software may get broken are already worth a lot.
Once you start looking at things from the correct angle, many amazing techniques and ideas will become obvious:
There is no magic bullet: every recipe is a mitigation for threat.
Understanding security is understanding:
threats you face (threat model)
what can be attacked (attack surface)
how it can be attacked (threat vectors)
Engineering for security is different from regular development:
In regular development, there are recipes which you follow and everything works.
In security development, you address your specific potential problems with solutions that:
don’t break things
But to be willing to invest energy into secure development, it is important to understand that security is the basic property, not a feature that is added at some point.
And then we all will be good. Or, at least, have hope for decent shared experience in cyberspace.