Why Security Programming is Hard
I find software security alarming.
Mostly because when I was working for Google, nobody had a good grasp of the concepts. Keep in mind I don’t either. I’ve read a few hacking books, and played around some with the examples. I’ve submitted JavaScript examples to the Chrome team that made the browser crash, but I’ve never come close to fully exploiting Chrome. I’m always in awe when I see some of the Chrome exploits that use 4-6 separate bugs to escape the browser’s sandbox.
Here’s why I think it’s alarming: Google is supposed to employ some of the brightest software engineers in the world, and yet, almost nobody knew anything about security. My “hacking” credentials were probably the best on my team after I read a couple of books.
Breaking into software just isn’t part of most computer science curriculums.
I realize Google employs full security teams now, and they know their stuff, but most regular software engineers don’t. And if they don’t know it at Google, what does that say about the rest of the engineers in the field?
Even in web software, the number of things a programmer can overlook is alarming.
Keep this in mind when you’re using online services.
I just hope our banks and financial institutions employ hordes of security people.
I’d recommend you assume that nothing is secure, and use dual authentication schemes whenever possible.
And FYI, I use online shopping, banking, and bill-pay as much as anyone else. I just assume that if these things aren’t secured, we’re all screwed, so I don’t worry about it.
photo credit: Big Brother via photopin (license)