2 min read

We need to adopt more rigorous engineering principles, adapting the principles of concurrent engineering, to place security at the core of our appropriately engineered product solutions.

web securityOne thing that we have become accustomed to in the technology industry is rapid and constant change, or for those who have been around for a little bit longer rapid and constant recycling. Recycling or change aside, let's look back to a time when JavaScript was a language that jQuery was written in, a time where front end developers were building more new whizzy User Interfaces (UI’s) relying heavily on JQuery, to engage with an ever more sophisticated audience (apparently afflicted by something called "consumerization") and back end folks were reminding the front end folks that they were dependent on the data they were literally able to "serve up".

Moving forward to the present day - JavaScript is the language for a range of frameworks such as Reacts.js, Angular.js and Node.js that have made the front end back end distinction redundant. The obvious allure of Agile UI centric approaches, combined with a shift in the direction of increased abstraction via tools, libraries or platforms means that there is a shortage of people with a comprehensive bottom up understanding of the complex products we are building. Speaking up for the community of Software Professionals faced with an ever increasing number of tools, methodologies and languages, keeping abreast of change (or recycling) is a challenge in itself.

There are 3.4 billion internet users globally and 10 to 15 billion Internet of Things (IoT) devices. On the 21st October there was a Distributed Denial of Service (DDoS) attack that resulted in outages at sites such as Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, Netflix, Facebook, Twitter and the Guardian. This was widely reported as a result of attacks on Dyn, a company that is a major provider of DNS services via malicious software hijacking IoT devices such as webcams and home routers. “All very elementary my Dear Watson" but it would seem that very much the proof is in the pudding.

Given the reality that we are increasing the complexity by building more products the majority of which sit on a public network (the www), whilst at the same time reducing our capacity to deal with that complexity means we are exposing some gaping holes in our security. We should take stock and consider the extent to what we are collectively building is a ticking time bomb.

Furthermore, we should acknowledge that the very idea of creating an ever secure perimeter to keep the bad people out, has all but been lost. We need to consider security and the vulnerabilities of our applications and mitigate the implications of increasingly inevitable security breaches. In order to do this, we need to adopt more rigorous engineering principles, adapting the principles of concurrent engineering, to place security at the core of our appropriately engineered product solutions. Part of the responsibility for this has to be with Software Vendors, but this also needs to be shared by Procurement Professionals. We all must be wary of the ever increasing levels of abstraction and factor in the real cost of ownership.