Abject Failure and Complexity

I’ve been meaning to post this for ages – Marus Ranum on why information security is an abject failure. And he’s right – the problem is the complexity of todays interactions, both at a protocol and language level.

To me, the problem is one of failure of KISS (Keep It Simple, Stupid). Applications and protocols haven’t been, and we’ve had more tacking together of technologies, and expansion of complexity of everything.

I mean, consider what languages you needed to know 10 years ago, and now:

Then:

HTML 3.2, JavaScript maybe, Perl if you’re brave, SQL if you’re a hero.

Now (Microsoft Stack only):

HTML 3.4, 4 (various favours), XHTML, XML, XSL, XPATH, JavaScript (much more complex), ASP.NET 2.0, C# or VB, .NET frameworks 1.1, 2, 3 and 3.5 (soon), ADO, SQL, CSS, ‘AJAX’

That’s just the languages and base technologies – never mind getting into a higher level of software (e.g. SharePoint). Or non-MS technologies – Ruby, Rails, Python, Java in various forms…

It’s similar in protocols…

Then:

HTTP, HTTPS, FTP, SMTP / POP

Now:

HTTP, HTTPS, FTP, SMTP / POP, SOAP, Web Services (plus various extensions), IMAP, Various Peer-To-Peer protocols, Various Instant Messaging protocols

(Yes, those are fairly high level, and from different levels of the stack – but still, you’re expected to know about them.) (And yes, I suppose you’d need to know a bit about TCP/IP and IPSEC)

Does that sound simple? Does my granny skateboard?

(Well, no, but that would be so cool).

Security will be impossible with such a complex, varied stack of technologies, and developers simply won’t be able to specialise enough to know how to make secure enough applications. It alarms me how wrong people are getting password storage alone – I mean, this stuff has been known since the 70’s. If they can’t get that right, how will they manage with a such a deep and varied set of tools?

Advertisements
Abject Failure and Complexity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s