I love listening to idealists. In fact, I’d be one if it wasn’t for the crushing despair and cynicism that working in the security profession has instilled in me. Or maybe I work in this field because the crushing despair and cynicism already existed. In either case, I’ve lost the ability to even think “we could just fix all of our security problems if we just …”. And when I see others saying the same thing, I have to shake my head in amusement at their naivete. But it really makes me wonder when I see someone who’s been in security even longer than I have say those words. Especially when it’s someone like Ivan Ristic.
Ivan is arguing in his post that all we need to do is create tools and languages that don’t allow XSS or SQL injection and the world will be a better place. He’s right, but the very next thing is admit how unlikely this is in the real world. Such languages and tools would be a wonder to behold, but they’d kill backwards compatibility. If you’ve ever worked in a web server farm, you know this just isn’t going to happen. Actually, if you’ve worked in any aspect of IT, you know that killing anything by not supporting backwards compatibility is nearly impossible. Even if there’s only one user who’d be affected by it, the powers that be simply won’t let anyone who might give them a few cents more be left behind.
We live in a real world, however surreal it might sometimes feel. The problems in security are big, complex and ugly. There are simple solutions, such as what Ivan’s suggesting, but the problem with simple solutions is that they come at a high price. We’re not going to get programming languages that don’t let developers create security holes, because sometimes that’s the easiest way for them to get their jobs done. We might get away with it if we introduce tools that make it easier to program securely then slowly close the holes that allow for insecure coding. But this is a solution that’s going to be decades in the making, not overnight.
There is no “All we need to do is…” in security. It’s always more complex than it first seems.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
