The Poor State of Computer Security

Computers do what we programmers tell them to, and nothing more. And the fact is that most programmers (or "software engineers") are quite bad at telling computers to stay secure, myself included. We get the work done, but you shouldn't trust us with anything important.

Real-world examples

Below are some examples that I've seen with my own eyes, having worked in software engineering for five years.

Banking: I've worked on software for the banking industry. Nobody on the team knew very much about computer security, nor even the technologies we were using. We didn't have any kind of code review and no structured testing. One guy on the team was such a terrible programmer that it was pointless to assign him even the simplest tasks - the code was worsened every time he touched it.

Health care: I've worked on software used for reporting and analyzing incidents among health care providers. Nobody on the team had computer security training, there was no code review, and there was no structured testing.

Manufacturing industry: I've worked on sensitive systems within the manufacturing industry. As usual, no code review or structured testing. Nobody on the team knew very much about security, and when I pointed out a command injection vulnerability to a colleague, the reaction was "oh, but the user would never enter something weird into that field".

Payment solution providers: I've integrated a payment solution on a website. The library provided by the credit card processor had a basic security flaw: it didn't check whether the "payment received" message came from their system or whether the end-user ("Eve") made it up. I reported the security flaw to their team, and they corrected it half a year later. They never informed their users that they should update the library.

Payment solution implementations: A team implemented a payment solution, but I was called in due to serious bugs, but nobody had noticed any security bugs. Nobody on the team seemed to care about security at all, as there was no code review and they had implemented only the bare minimum to make it work.

IT consulting: I've worked at IT consultancy companies with thousands of employees. They didn't have backup plans for what to do if their internal systems went down.

The actual state of computer security

We have come a long way since the beginning of computer engineering, but we still have a long way to go. Many of the most prominent players in computing have great security, and most people realize (at least in theory) that we can't trust everyone on the internet.

But the fact is that the most secure web browser still has to patch security flaws every month or two. It's great that they patch it, of course. But that won't change anytime soon. And the same goes for all large software - it's either patched regularly or should be.

I'm quite amazed that viruses don't take down the IT systems of all companies and public institutions for a week or two every year. I have to assume that the reason is that no one has enough to gain in spreading such chaos.

This brilliant xkcd comic succinctly describes my feelings about the state of computing.