Software Development, It's Time to Grow Up

Most people have now heard of the Equifax data breach that "potentially impacts approximately 143 million U.S. consumers". This clearly is a watershed moment for computer security and software development and how we handle it both as an industry and even as a country. I believe three major themes will emerge from this debacle:

  1. How should liability be assigned for this? And to who? (Which will include identifying new parties to hold liable.)
  2. How can we avoid the centralization of so much sensitive data and yet support a service such as credit reporting?
  3. How should the software development industry change development practices and policies in order to help prevent such an incident?

The first two items are in-depth topics worthy of considerable discussion on their own. However, in this post, I'm going to focus on the third item. What do we as a software development community need to do about this?

Houston, We Have a Problem

Based on the history of credit agencies and of data breaches, it is likely that we are going to find out that there was a lot of obvious things wrong with Equifax's technology and processes. Of course, it's easy to "Monday morning quarterback." However, in our society, we do expect certain critical tasks to be done correctly most of the time and have instituted various practices to achieve that:

  • Lawyers must have a bachelors, complete law school, pass a state bar exam and be licensed.
  • Doctors must have a doctorate level degree and they must be licensed.
  • Engineers must have a bachelors degree from an accredited program and they must be licensed.
  • Software developers must - be able to code?

See the problem yet? We have software developers building systems that are critical to society and in many cases we have no externally imposed education, certification or expertise requirements of them.

From the libertarian and laissez faire perspective, this situation is desirable. Why impede such a dynamic and innovative area of our economy with unnecessary bureaucracy and barriers to entry?

On the other hand, history shows that what we have in the legal, medical and engineering fields is what's coming for software development. It's time the industry grew up, faced the music and solved this problem from within before a solution nobody likes gets imposed on us.

Whoa, Back it Up

Of course, the situation is not really that simple. For instance, let's compare the age of the fields mentioned above in comparison to software development. We are talking in some cases 100s if not 1000s of years in contrast to a tiny 70 years or so for software development. As a profession, a field, and a society, we haven't had time to grapple with these issues yet, both to recognize the problems and to implement reasonable controls in response. The software development field is still a babe in comparison.

Also, there are indeed some areas of software development that are already strongly regulated – military, aviation and medical applications being excellent examples.

But, by and large, many critical areas of our society involve software development that is completely unconstrained in how it is executed. And executing it well in a way that prevents massive failures like what happened to Equifax is extremely hard to do. It requires (at the least) appropriate training and many years of experience.

It's The Culture, Stupid

While there are some positive cultural influences within the software development field regarding this problem, most all of them are ad hoc and voluntary approaches. Meanwhile, we have certifications that hardly anybody requires and far too many programming languages to choose from which impedes the development of expertise. We have a code of ethics that probably not one single reader of this article has ever heard of and a hacker mythology created by Hollywood that glorifies unprofessionalism.

But worst of all, we have a negative societal attitude towards software development and the people that practice it. If you asked a random person about software development, two things they would likely tell you about it is:

  1. Their cousin's ability to "create a website" makes them a developer
  2. Software developers are nerds

So, imagine this: you have a valedictorian getting ready to go to college and they are choosing between becoming a lawyer, doctor, engineer or software developer. What are the odds they are going to choose to be amongst "nerds" who are "creating websites" versus those other fields?

Put another way, what kids dream of growing up to be a software developer?

Our cultural attitudes are inevitably lowering the average level of talent in the field. Yet, doing good, reliable, and safe work in this field is at least as hard as any of those other fields.

How Do We Fix This?

I personally took a first step towards fixing this problem 4 years ago when I decided to pivot Data Bakery into a custom software development services company. I already knew about the sorry state of my field (as described above) and wanted to do something much better. So I modeled how I operate based on the successful practices of other fields that are much more mature.

I've got a lot of experience and a lot of knowledge. While Malcolm Gladwell's "10,000 hours of practice to master a field" hypothesis is not universally accepted and I don't believe that appropriate training can only come from universities,  I do believe that 10,000 hours of relevant experience is an extremely important factor. I also believe a master/apprentice approach in software development would be highly beneficial – if not quite practical in our modern economy.

I also eschew the flavor-of-the-week technology chase and make careful, long-term tech choices and have become very good at predictably delivering good results with them. I will eventually get whatever certifications emerge as relevant to the field and require them of anybody who wants to work with me.

I want to change how our professionals, field and society deals with software development. If what you read here means as much to you as it does to mean, please contact me. Let's talk.


Computer Security and Anti-Lock Brakes

You may well wonder what the two items in the title of this post have to do with each other. Computer Security is of course the practices and tools that go into having a secure computing experience while anti-lock brakes are a safety feature on most modern cars.

When anti-lock brakes were introduced, they were hailed as a life-saving technology that was sure to reduce the number of accidents on the road and result in less injuries and cost savings for everybody. However, the real-world results never matched these expectations. When drivers learned about and began using anti-lock braking systems, they started driving faster, following closer and braking later. All of these factors effectively cancelled out the predicted benefit of introducing them in the first place.

A number of studies have concluded that Risk Compensation is the reason for this result:"an effect whereby individual people may tend to adjust their behavior in response to perceived changes in risk".

So, what's really happening here? People go about their lives behaving in ways based on the perceived risks of their activity. If they think they might get hit by a car when crossing a street (the risks are higher) they will look both ways before crossing. If they think they might have less odds of getting into an accident because their car has anti-lock brakes (the risks are lower) then they will drive more aggressively.

The effect is even more pronounced in professional sports. The National Football League (NFL) is experiencing more significant injuries while at the same time deploying safer equipment and changing rules in the name of safety. Players are responding to the perceived decrease in risks by playing the game more aggressively.

Putting Safety Pads on Your Computer

I believe Computer Security for consumers also suffers from the Risk Compensation effect, especially when it comes to firewalls and anti-virus software.

Firewalls and anti-virus software are staples of your average consumer computing experience. Most consumers don't really understand what these tools are or how they work, but they are told that if they use them and keep them up to date, they will be safe. Consumers are rarely educated about the basics of computer security technology. It would be charitable to say this is an oversight of an industry that wants to provide a safe and turn-key experience to its consumers. The more cynical reader is probably already thinking the more likely explanation; the technology industry doesn't think users can or will ever be able to understand these issues.

The problem is that firewalls and anti-virus software are not nearly as effective as our industry has led consumers to believe. Combine this situation with Risk Compensation and we have an impending disaster on our hands. Consumers who are not educated on the basics of computer security are taking significant risks based on a false perception that firewall and anti-virus software will keep them safe.

Drivers Ed

The analogy with anti-lock brakes is a useful one in more ways than one. Clearly the automotive industry and our society is doing something right concerning automobiles or we would have an epidemic of automotive accidents. I think the key is two-fold: 1) a sense of responsibility and 2) education.

Unlike when your average consumer buys a computer, a new driver must go through drivers education and pass a written exam. Vehicles come with manuals that have all of the basic operational details spelled out including all safety procedures. At the same time, we have laws and regulations that hold a driver responsible for the operation of their vehicle.

The result is a driving experience that we as a society are relatively happy with.

Putting on the Brakes

In comparison, when a consumer buys a computer, they rush home to unpack it, watch a quick introductory video on how to attach it to the Internet, install anti-virus and firewall software and then start surfing. No computer security information is taught and no sense of responsibility is imparted for how the computer is operated.

I want to make sure readers don't think I'm suggesting that we require a computer security version of drivers ed and a license to operate a computer nor that we need to pass new laws making users responsible for the actions taken by their compromised computers.

What I am advocating is that we start educating users about computer security. If they can learn important and complicated information regarding the safe operation of a car, they can surely learn material presented at the same level about computer security. I'm also advocating that we stop pretending that anti-virus and firewall software are going to protect consumers from all of the ills on the Internet.

People need to understand what level of real protection these tools are providing – and what risks they are still exposed to – so that they can become a constructive and active participant in improving computer security for everybody.

Of Guns and Malware

I came across this video the other day:

It's a really entertaining TED Talk about the world of computer security from the perspective of malware and presented by Mikko Hypponen of F-Secure. I encourage you to watch.

He closes with the following:

I've spent my life defending the Net, and I do feel that if we don't fight online crime, we are running a risk of losing it all. We have to do this globally, and we have to do it right now. What we need is more global, international law enforcement work to find online criminal gangs -- these organized gangs that are making millions out of their attacks. That's much more important than running anti-viruses or running firewalls. What actually matters is actually finding the people behind these attacks, and even more importantly, we have to find the people who are about to become part of this online world of crime, but haven't yet done it. We have to find the people with the skills, but without the opportunities and give them the opportunities to use their skills for good.

In other words, anti-virus and firewalls aren't the solution to our problem. Stopping the people who create and produce malware is.

At the same time, we have this sentiment that bubbled up in the news recently:

Is antivirus software a waste of money?

As it turns out, many of his security-minded peers don't use [antivirus software] either. The reason: If someone is going to try and attack them, they're likely to use a new technique, one that most antivirus products will miss. "If you asked the average security expert whether they use antivirus or not," Grossman says "a significant proportion of them do not."

That's a pretty clear indictment of the status quo. What we are doing is not working.

Guns don't kill people, people kill people

What I believe is happening here is a growing realization of what I've talked about before. The current security situation is a never ending battle of measure and counter-measure with ever increasing casualties. What is needed is a dramatic change in the way we approach this battle.

Mikko points to one way to change this. Stop trying to stop the "guns" in this battle from being manufactured and distributed; instead go after the people who are using them to commit crimes.

However, the same Wired article from above goes on to cite another approach:

Patterson said his company, Patco, had “good AV” at the time of the attack, but nevertheless it missed the password-stealing Trojan. Now, two years later, he’s taken an inexpensive step that every small business should take to prevent his company from becoming victim to this type of fraud: He’s told his bank give him a call before it authorizes any big money transfers.

This to me is the real game changer. And I hope to make Trust Inn the catalyst for that change.