Software is like Sausage
Software is like sausage. The more you understand how it's made, the less you enjoy it.
The more I’ve been involved in the development of software, the more uneasy I’ve become about using it for my own day to day needs. When I have to enter information, I often think about who might have developed the software and the conditions under which it was produced. The image of a sloppy coder under the gun often comes to mind.
I’ve seen some awful things done in the name of getting things done, usually to satisfy some angry client or bossy manager, but also due to the ignorance and laziness of those tasked with writing software. It’s well known that people make mistakes under pressure. It is also unfortunate that many software developers take little pride in their work. It is also probably true to say that effective security is rarely a top priority for many applications.
As time goes on, you might think the situation would improve. However, consider the recent news of a security vulnerability in the iOS apps of Facebook and Dropbox.
Even though it would take a determined hacker to exploit this particular vulnerability, considering the number of iOS devices and the increasing number of applications being built at a breakneck pace, it is reasonable to assume that some users may not protect their device with a passcode. If they do, some of them will choose an insecure passcode. It makes you wonder if this was considered an acceptable level of risk by the design teams. Millions of users entrust their data to these companies, so they deserve better in return for their patronage.
I can picture the pressure at these companies to get things out the door. I’ve seen the same thing done many times - hardcoding or storing credentials or tokens in plain text during development, because implementing security is not a priority or is perhaps intimidating. Or it’s not a problem until somebody says it is. Perhaps security was not a major consideration during the design or development of these applications. I’m sure this sounds familiar, so it’s hardly shocking.
Where security is an important aspect of a domain, such as finance or banking, it is reasonable to assume that effective safeguards have been taken at all stages of product development. I hope this is not wishful thinking, but when security breaches have significant implications, I assume security receives the serious consideration it deserves. Perhaps security should be an important part of every domain.
Web application security has come a long way. It is interesting that the vulnerability mentioned in this article affects a new generation of mobile applications. With the proliferation of software and the people writing it, and the competition to stay ahead of your rivals, it’s likely that effective security continues to be low on the list of priorities. Something to consider the next time you hand over your information - it could end up costing you a lot more that 99 cents.
Originally published April 24, 2012blog comments powered by Disqus