niplav

I remember (from listening to a bunch of podcasts by German hackers from the mid 00s) a strong vibe that the security of software systems at the time and earlier was definitely worse than what would've been optimal for the people making the software (definitely not safe enough for the users!).

I wonder whether that is (1) true and (if yes) (2) what led to this happening!

Maybe companies were just myopic when writing software then, and could've predicted the security problems but didn't care?

1
niplav

Or was it that the error in prediction was just an outlier, that companies and industries on average correctly predict the importance of safety & security, and this was just an outlier.

Or is this a common occurrence? Then one might chalk it up to (1) information asymmetries (normal users don't value the importance of software security, let alone evaluate the quality of a given piece of software) or (2) information problems in firms (managers had a personal incentive to cut corners on safety).

1+
timorl
@niplav It's really amusing to me that you are writing this in the past tense, even if this makes sense, as it used to be much worse. Anyway, security is still often so low on the priority list when developing software that only near-zero-cost effort is exerted in that direction. Most of the improvement comes from more easy to use libraries that do the right thing (the most obvious and likely impactful example is SSL) and more knowledge being disseminated among developers (so they can actually do the low-effort thing). The systemic reasons for security being neglected almost haven't changed (there is a tiny bit more regulation, so there is more cost to not having it) – and they are mostly (1), that is there is a huge incentive to release software and features as soon as possible at the cost of everything else, and security is particularly easy to ignore, since approximately no one cares approximately ever.
1
niplav
Follow

@timorl

Thanks! This is useful.

My impression was that for very big companies and especially industry customers it has gotten better—Microsoft improving the security of Windows, Google creating the AFL &c

but then otoh I can imagine that this drops off very quickly as one moves to not-top-of-the-industry players

· · 0 · 0 · 0
Sign in to participate in the conversation
Mastodon

a Schelling point for those who seek one

Trending now

Resources

Developers

What is Mastodon?

schelling.pt

More…

v3.5.3 · Privacy policy