The Wrong Kind of Security

I hate unnecessary security. Security in software is a bit like going to the dentist or having a vaccination. It's awful but you've got to have it. Much worse, though, is when it's awful and you really don't need it.

 

For two years, I've been going around talking to groups of professional software programmers and asking them, using workshops, "what is the important security and privacy for your product?"

One of the first companies I worked with make management finance software. They thought about what they needed, and eventually concluded that they'd been spending their effort and time defending themselves against attacks by anonymous hackers; whereas actually their biggest security problem would be one customer accidentally seeing another customer's data. The latter would have lost them customers, whereas data theft by an anonymous hacker might well have no more than embarrassed them. They fixed some data visibility problems immediately.

 

I continued asking the same question with a number of other companies and ten out of a dozen concluded after their workshops that actually they had been chasing some of the wrong kinds of security: the security problems they were solving were not the ones that mattered most to their customers.

Many examples

There are many familiar examples of this. Facebook defended very nicely against hackers getting the 'wrong' data from their APIs; but the Cambridge Analytica scandal showed that even the 'right' data could be embarrassing to Facebook.

 

In The Phoenix Project, an excellent book about DevOps, the security specialist despairs because developers haven’t implemented security features in the company management software. Yet when the auditors come, they find the missing security features to be unnecessary, as manual checks do the job fine.

 

Or there were the WhatsApp developers, who protected their person-to-person secure communication superbly, but then found that an unnoticed glitch in their app software could allow a phone to be taken over by hostiles. Their very power in protecting communication for people threatened by rogue states made the impact of that glitch huge.

 

What you can do about it

So please don’t waste time implementing the wrong kind of security.

 

After five years of researching this kind of problem and much more, we have produced workshops to help teams focus on the security that matters to their customers. You can read more about them, and even use them for free, here at SecureDevelopment.org.

 

- Charles
Door image from HibaSiddiqui on Wikipedia