Important note of Jul 10, 2021: this article was originally published in 2017. The grammatical errors are intentionally left unfixed, and the article itself is republished for historical reasons.
Software engineers and teenagers has some things in common: they are both creative, driven by bright ideas and dreams about the better future. Them both are idealists and do love perfect things. Sometimes the dreams are being shattered by unworthy things like economics, marketing and managers’ opinion, but sometimes they are not. The greatest example though is an open source software case.
Who would be sharing the software for free, why not to sell it, they said. Nevertheless, the open source software grows rapidly, and today the more and more software is tends to be open source. We are talking about the real projects like Linux, the operating system used literally everywhere, Express, the number one framework for developing high-load applications, MongoDB, the DBMS for implementing big data calculations, or the endless list of modern frameworks used by everyone from indie developers to the big corporations like Google or Facebook. Yes, everything listed is completely free. Even NASA rely on open source software.
MIT, the most popular IT university, stated that they would no longer teach the students SICP, the must-have programmers’ course. That’s because of the software in its entirety have changed. Today we are developing really complicated projects, every modern web app synchronises its virtual DOM with real DOM, serializes user’s data, session data and other, and sends it via COMET from client’s V8 in chrome to server’s V8 in NodeJS, then parses that data using Express and commits changes to both Mongo or Redis using Mongoose and Redux state container, and that happens every time you hit the Like button in a fancy user interface. We reached the point where there is absolutely impossible to develop an app from scratch. The customer’s tech specification are constantly changes and expands, the old software engineering approaches like “prototype at first, code at last” are no longer work. SICP, the golden legacy of software development was all about that, about abstraction prototyping and incremental model. Nowadays, the software development is more like LEGO assembling from spare parts, but not building a house. Today it’s all about what to make, not how to make, it’s all about reuse, and the open source frameworks which are for their own small tasks, and methodologies like Agile (prototyping while coding), Scrum and Evergreen are going to help.
Thus, if we have small blocks to assemble an app with, and we are going to focus on the app’s purpose instead of how it’s going to be made, we need that small blocks – frameworks and libraries – to be aware of security. And they are: things like salty passwords, die-hard compliant checksum generators, and input sanitizing are now tested well and enabled by default, there is no need to reimplement them. Instead of writing useless code, there is important to read the manual just to be sure that proper security level is ensured.
Does it mean we are safe now? No. Hackers realized that there is easier to trick a human than the highly-protected system, and the social engineering have fallen into place. It’s a lot easier to ask a person for his credit card number and CVC with email designed just like the bank’s one than to infiltrate into the bank’s highly protected database. The latest outrageous social engineering hype wave was caused by celebrities’ nudes being stolen from iCloud. Photos were stolen rough, just by guessing easy passwords like qwerty123, but not by exploiting software security flaws. As you can see, we are just ended up with a simple conclusion: the main software security flaw are sitting in front of the computer. And it’s of great importance to teach users the social engineering basics.
Do not share your credit card’s credentials. Do not reuse passwords. Read the manuals, do not trust the person who introduces himself as the bank’s employee and asking for your credit card number and two-factor SMS code.
Thesis: the software’s big piture have changed. The changes happened made the classic software security outdated.