This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
I agree regarding your gloomy view of the future. It's ironic the counterculture "hackers" have enabled (by providing an excuse) today's run-patch-run-patch-reboot software environment and tomorrow's software Stalinism.
I don't think we're going to start building real security. Because real security is not something you build--it's something you get when you leave out all the other garbage as part of your design process. Purpose-designed and purpose-built software is more expensive to build, but cheaper to maintain. The prevailing wisdom about software return on investment doesn't factor in patching and patch-related downtime, because if it did, the numbers would stink. Meanwhile, I've seen purpose-built Internet systems run for years without patching because they didn't rely on bloated components. I doubt industry will catch on.
The future will be captive data running on purpose-built back-end systems--and it won't be a secure future, because turning your data over always decreases your security. Few possess the understanding of complexity and good design principles necessary to build reliable or secure systems. So, effectively, outsourcing--or other forms of making security someone else's problem--will continue to seem attractive.
That doesn't look like a very rosy future to me. It's a shame, too, because getting this stuff correct is important. You're right that there are going to be disasters in our future. I think they're more likely to be accidents where the system crumbles under the weight of its own complexity, rather than hostile action. Will we even be able to figure out what happened, when it happens?
Folks, the captains have illuminated the "Fasten your seat belts" sign. We predict bumpy conditions ahead.
Bruce Schneier is CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. For more information, visit his Web site at www.schneier.com.
Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his Web site at www.ranum.com.
Send comments on this column to firstname.lastname@example.org.
This was first published in January 2008