Why do they write insecure code?

English: Illustration of the fencepost off-by-...

First of all, nobody teaches engineers to write secure code. When people study mechanical engineering, they spend an awful lot of time calculating the designs for reliability and safety. They learn that the bridges must be redundantly safe, that there is a plethora of things that may go wrong with an elevator and so on. Do they learn anything like that in computer classes? No, far from it. People learn the computer programming languages and sometimes about cryptographic protocols. But they never learn how to make the systems stable, safe and secure. They never learn what may happen to a computer system in real life. They do not practice taking preventive measures the way any other engineering specialists would.

Many programmers are then lured into the fake safe heavens of firewalls, safe languages that “take care of things for them” and the proclaimed security of frameworks. Guess what, none of that is true, no language is “safe”, no firewall helps and no framework is perfect. But people are inherently lazy and they prefer to blame someone else instead of taking the responsibility.

And on top of all that comes the cost. Software is a form of art. The good, really professional programmers cost a lot of money. The good designs and their implementations take a lot of resources, read money. Security features are costly, security measures are even more costly. And companies are not willing to pay, customers are not willing to pay, everybody just bitches about poor security and the world moves on, selecting the lowest bidder for security critical infrastructure implementation.

We’re sitting on four million pounds of fuel, one nuclear weapon and a thing that has two hundred thousand moving parts built by the lowest bidder.
— “Rockhound” in the movie “Armageddon”

Do you really think anything will change to the better if none of the above changes?

2 thoughts on “Why do they write insecure code?

  1. So what’s your contribution to the solution?
    I think it doesn’t make sense to call software “a form of art” and pretend the end results to be “secure”. Art is meant to express, not to provide confidence.
    On the other hand I think openness in the development ecosystem, public source code, blogging and commenting is helping the fast-paced world of software become tighter and more reliable on the basis that no product is ever “finished”, but is an ongoing process in itself.

  2. I think the software is a form of art. All attempts to mass-produce software so far miserably fail. But that is besides the point. We could argue forever about what art is meant to be and what – not, that does not bring us any closer to any interesting results. As do not buzzwords.

    What concerns my contribution, why don’t you head over to http://holyhash.wordpress.com/ and have a look?

Leave a Reply

Your email address will not be published. Required fields are marked *