The recent ransomware attacks have focused lots of minds on cyber security, however many of the solutions being proposed are little more than sticking plasters to the larger underlying issue – namely systems are not secure by default. The ‘trend’ in software has been to launch it, then fix it. This is a very attractive proposition for businesses, as it lets them discover the ideas that work and don’t work, and then iteratively improve them. Most of the gadgets we use in our lives today would not exist without this mentality. However, the dark side of this approach is that almost all software is not secure. The evidence shows that pretty much every system deployed has security flaws. The only question is who finds the flaws first – bad people or good people.
We read continually about new buffer overflows in tools that allow ‘bad guys’ to take over various systems. This week the unfortunate program was Avast AV. The bit that always surprises me is these issues are still occurring in code written relatively recently, we’ve known how to fix all these issues for many years, yet people keep writing code that has these defects. I’d argue that the main cause of this is premature optimization and ignorance.