I read a post tweeted by Chris Cornutt today. The basic gist of the article is that your security is only as strong as your most ethically-challenged developer. That got me thinking that we spend so much time trying to prevent intrusions when detection might be a better priority. Some tactics, such as SQL Injection, are useful because they protect not just against intruders but people who tend towards single-quote usage as well. I would argue that SQL Injection is just as much about inadvertent data entry as it is about security. Same thing with XSS.
But this also got me thinking about laws. We tend to (wrongly) view laws as a preventative measure. The problem is that there are always people who are willing to skirt the law, whatever that law may be. Sometimes it’s because laws are unjust. But who is to decide when the perceived unjust-ness of a law is sufficient to permit civil disobedience? Or the rejection of that law by an individual?
But what if we (getting back to developers) worked under the presumption that our code would be attacked and security would be defeated? If we presume that our software is vulnerable does it make more sense to lock it down as much as we can, or implement methods to detect, or at least collect, information in a way to make prosecution or recovery easy. Just like you cannot write a law to prevent all people from wrongdoing you cannot guarantee that your code is 100% secure. Given that, would it work to take an approach that focused more on detection (and recovery) in front of prevention?
Would our approach be different?
What would it look like?
Would it work?
Would it matter?
It may sound a little silly to ask but consider that banks do something like this when it comes to financial transactions. Banks use eventual consistency to maintain financial records. They are not ACID compliant. It is possible to overdraw your account if you do it in a manner that beats out the eventually consistent implementation they use. It is the only way to maintain the scale that they require. The position of the banks is that IF a circumstance occurs where there is a discrepancy in bank records it costs them less to fix the issue than to prevent it in the first place.
Likewise, Amazon allows items to be sold when they aren’t sure about stock (just look at a recent purchase of mine). Their presumption, presumptively, is that it will cost them more to ensure completely accurate inventory management than to send an apology letter to a waiting customer. Is there a correlation in software development when it comes to security?
I don’t have any answers ATM, and it may be that any implementation may end up being more costly than prevention (my current thought is that it is). I’m just thinking out loud and wondering if anyone else has given though to this.
Comments
dstockto
I think this is an interesting take on it. I think both prevention and detection/collection are important. I think there’s a mix that differs based on what you’re trying to protect. For instance, a company that has a breach that allowed personally identifiable info to get out may find that they are no longer in business, so prevention is very important.
If the data is segregated so that a breach of some of the PII doesn’t mean that all the PII is compromised and they can tell that an intrusion occurred but also be certain that it didn’t affect all critical data may find themselves in a better position than a company who cannot detect the intrusion and learns about it at the same time the public does.
Data that’s less critical may be less of a problem if a breach occurs so prevention may be less cost effective than prevention.
In the case of the bank, the problem is rectifiable without a loss of reputation on the side of the bank. Bank errors happen all the time but no one really hears about it as a big news item. For the Amazon example, the worst case that’s likely to happen is that the customer writes an angry blog or letter that gets picked up and more people are aware of Amazon. Even that’s not likely though and Amazon could likely or easily “make right” with the offer of a gift certificate or similar if it was even required.
If Amazon lost a chunk of credit card info or something like that, then they are facing lawsuits and bigger problems, but probably not to the scale that would threaten the existence of the company. Smaller companies would not likely be so lucky.
In any case, it’s an interesting question that requires further study.