vineri, 5 decembrie 2008

Thoughts on Software Security

Here's something that grinds my gears:
You still use bla bla bla Internet Navigator v13.2.256.2?!  Don't you know that it's full of security holes? You should usee YYY Firedog 2012 because it's secure and hip, and soon everybody will be using it!
From my experience there are no perfect software programs, from the security perspective. The only thing that matters is the number of exploited security holes. And that number tends to be directly proportional to the popularity|number of users and number of functionalities of the software application.

Or worse. My theory is that the users of public software applications (meaning software meant for the masses, not for X company's HR department), with small user bases, tend to be more technically savvy. As the number of users grows, due to the increassing popularity of that software, the average naivety level tends to go up. This is the first step when things start to go bad, because the easiest security exploits rely on user ignorance.

The second step occurs when the application suffers a surge of new functionalities. This usually happens when it starts supporting some form of plugins or automation, because this greatly increasese the area exposed by that application to the world: longer borders=>more border patrols are needed.

So there is no real security comparison between two software applications, unless they have comparable user bases, have been available for the same period of time and support roughly the same major functions.

My conclusion is this: educate the user! Software doesn't need to be foolproof. Time spent on dumbing down the user interface (and I don't reffer here only to the GUI, but the whole end user experince) can be better employed on improving its functionalities.

Help the user make informed decisions. Even if this means saying "Pushing this button exposes you to the following risks: money loss, health loss, pride loss, etc.". Software applications should not follow the marketing propaganda of consumerism. In a medium where information is a de facto currency, there are better ways to advocate the use of your software. Make a commitment to inform the users what are the strong and week points of your application, when it can and when it shouldn't be used.

Stumble Upon Toolbar

Niciun comentariu: