Important note of Jul 10, 2021: this article was originally published in 2017. The grammatical errors are intentionally left unfixed, and the article itself is republished for historical reasons.
Let’s face it – software security is underappreciated. That’s probably not the topic you want to discuss at your local IT meetup, and the last software security hype wave had happened in 2014, three years ago from now, and had been caused by Heartbleed. Just for comparison, there are only 938 software security meetups active now, against 11 823 web development meetups, as meetup.com reports. Just to clarify it, the web development hype waves are happened almost every day by new JavaScript frameworks and CSS standards improvements.
Back in late nineties, top-notch software security engineers said: “You should either make it too expensive to hack or too long to hack.” The rich, mostly traditional companies were trying to use IT as the business tool, and of course they need their sensitive information like banking accounts and credentials to be safe. That’s why there always were high-paid software security engineers job vacancies there, and of course they have spent a lot of money to make their business. The big companies like IBM and Microsoft were able to spend a lot of money to pay their teams, but there were no way for aspiring tight-budget company to enter the business, it just were too expensive.
But why as important part of IT as the software security is about to become the lost art? The answer is the modern IT industry status. Nowadays the era of startups and individualists has come. The whole business have changed, and now we are have the independent art, independent music, and independent IT companies, that prefer to make their software open-source by default. For example, Express, the number one NodeJS framework for making web applications was created by TJ Holowaychuk, independent open-source developer. Uploadcare, the cloud storage used by Mozilla and others, was made by the independent team of three developers. Nowadays, your money, credentials, and personal data may be stored or processed with tools that has been made by just one man or small team.
What do we know about startups? The number one fact is that they are primarily focused on technologies used and the design, but mostly have no software security specialists employed. They care much about how their product makes someone feel, but almost always think that the frameworks they use are providing security by default. And we can’t blame them for thinking that way, because the times when the software security was the main thing to focus on have just gone.
It’s not just me thinking so. Google engineers thinks the same. As a result, the industry wants to transfer the responsibility of the software security from end product developers to the developers of frameworks and browsers. The advantages are clear: why it’s needed to reinvent the commonly used security algorithms instead of using trusted solution that has been tested and debugged ten thousand times by the others? Why reinvent re-captcha when you can just use original solution for free? There are solutions following the same pattern such as OAuth, access tokens, salty passwords, on-demand md5, and OpenSSL. Google made Chrome, the secure browser that have the security features like cross-site scripting protection built-in. Chrome audience is 73.7% (W3C Committee data), and the Opera (1%) and Safari (3.6%) are using the same browser engine which is open-source, thus, if you are hacker and you want to use XSS, there are only about 20% users that may be affected. If you look at the market of server-side languages, you could find out that PHP and ASP.NET, which are protected from SQL-injections by default, are 97% of the whole market.
Of course, every proficient developer should know common abuse cases. But for today, the main software security lack consists of the human factor. Teaching your users not to reuse credentials or not to tell everyone their credit card’s CVC could improve your whole system’s security much more than paranoidal protection from nonexistent evil hackers by reinventing the SQL or JavaScript sanitiser.
Thesis: software security of the nowadays is not about database leaks and hacking but social engineering.