Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

The Big Fix

Insecure software is forcing vendors to do what they've never done before: make good software.
Page:

Let's start where conversations about software usually end: basically, software sucks. In fact, if software were an office building, it would be built by a thousand carpenters, electricians and plumbers. Without architects. Or blueprints. It would look spectacular, but inside, the lifts would fail regularly. Thieves would have unfettered access through open vents at street level. Tenants would need consultants to move in. They would discover that the doors unlock whenever someone brews a pot of coffee. The builders would provide a repair kit and promise that such idiosyncrasies would not exist in the next skyscraper they build (which, by the way, tenants will be forced to move into).

Strangely, the tenants would be OK with all this. They'd tolerate the costs and the oddly comforting rhythm of failure and repair that came to dominate their lives. If someone asked: "Why do we put up with this building?" shoulders would be shrugged, hands tossed and sighs heaved. "That's just how it is. Basically, buildings suck."

The absurdity of this is the point, and it's universal, because the software industry is strangely irrational and antithetical to common sense. It is perhaps the first industry ever in which shoddiness is not anathema - it's simply expected. In many ways, shoddiness is the goal. "Don't worry, be crappy," Guy Kawasaki wrote in 2000 in his book, Rules for Revolutionaries: The Capitalist Manifesto for Creating and Marketing New Products and Services. "Revolutionary means you ship and then test," he writes. "Lots of things made the first Mac in 1984 a piece of crap - but it was a revolutionary piece of crap."

The only thing more shocking than the fact that Kawasaki's iconoclasm passes as wisdom is that executives have spent billions of dollars endorsing it. They've invested - and reinvested - in software built to be revolutionary and not necessarily good. And when those products fail, or break, or allow bad guys in, the blame finds its way everywhere except to where it should go: on flawed products and the vendors that create them.

"We've developed a culture in which we don't expect software to work well, where it's OK for the marketplace to pay to serve as beta testers for software," says Steve Cross, director and CEO of the Software Engineering Institute (SEI) at Carnegie Mellon University. "We just don't apply the same demands that we do from other engineered artefacts. We pay for Windows the same as we would a toaster, and we expect the toaster to work every time. But if Windows crashes, well, that's just how it is."

Application security - until now an oxymoron of the highest order, like the US appellation "jumbo shrimp" - is why we're starting here, where we usually end. Because it's finally changing.

A complex set of factors is conspiring to create a cultural shift away from the defeatist tolerance of "that's just how it is" toward a new era of empowerment. Not only can software get better, it must get better, say executives. They wonder, Why is software so insecure? and then, What are we doing about it?

In fact, there's good news when it comes to application security, but it's not the good news you might expect. In fact, application security is changing for the better in a far more fundamental and profound way. Observers invoke the automotive industry's quality wake-up call in the 70s. One security expert summed up the quiet revolution with a giddy, "It's happening. It's finally happening."

Even Kawasaki seems to be changing his rules. He says security is a migraine headache that has to be solved. "Don't tell me how to make my Web site cooler," he says. "Tell me how I can make it secure."

"Don't worry, be crappy" has evolved into "Don't be crappy." Software that doesn't suck. What a revolutionary concept.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACT, Apple, Bill, Billion, Carnegie Mellon University, Financial Institutions, General Magic, HIS Limited, Internet Security Alliance, Mellon, Microsoft, NASA, Nimda virus, Oracle, PLUS, Promise, SEC, Sustainable Computing Consortium, VIA, Wal-Mart, Xbox

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Email Encryption/Decryption and Signing integrated into a comprehensive content security solution
    Clearswift’s SECURE Email Gateway provides an easy to use approach to providing secure email conversations. The technology enables customers to provide the privacy, authenticity and integrity of the communication that secure messaging offers, but without the complexity and high administration cost of other systems. The Clearswift SECURE Email Gateway with integrated encryption technology enables business to communicate with confidence and protects them from the risk of sensitive data loss.
    Learn more »
  • Book 1 - The Practical Guide to Assuring Compliance
    In today’s integrated, regulated, litigated environment, it is necessary to provide assurance to customers, business partners, regulators, and sometimes even the courts that you have done your due diligence in securing your IT infrastructure. New and updated United States laws are increasingly making corporate management responsible for ensuring compliance, as companies face substantial fines and penalties for not doing so. Existing and emerging global security and privacy laws and regulations make keeping up with multinational compliance requirements imperative. Read on.
    Learn more »
  • Book 3 - The Practical Guide to Managing Risks
    Every organisation has a mission. Most, if not all, organisations use information technology (IT) to process their information in support of their missions and reaching their business goals. Managing risks associated with the information and supporting technologies is a critical factor in successful organisational mission realisation. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.

HP and IDG news, product videos and resources