I read a post tweeted by Chris Cornutt today. The basic gist of the article is that your security is only as strong as your most ethically-challenged developer. That got me thinking that we spend so much time trying to prevent intrusions when detection might be a better priority. Some tactics, such as SQL Injection, are useful because they protect not just against intruders but people who tend towards single-quote usage as well. I would argue that SQL Injection is just as much about inadvertent data entry as it is about security. Same thing with XSS.
But this also got me thinking about laws. We tend to (wrongly) view laws as a preventative measure. The problem is that there are always people who are willing to skirt the law, whatever that law may be. Sometimes it’s because laws are unjust. But who is to decide when the perceived unjust-ness of a law is sufficient to permit civil disobedience? Or the rejection of that law by an individual?
But what if we (getting back to developers) worked under the presumption that our code would be attacked and security would be defeated? If we presume that our software is vulnerable does it make more sense to lock it down as much as we can, or implement methods to detect, or at least collect, information in a way to make prosecution or recovery easy. Just like you cannot write a law to prevent all people from wrongdoing you cannot guarantee that your code is 100% secure. Given that, would it work to take an approach that focused more on detection (and recovery) in front of prevention?
Would our approach be different?
What would it look like?
Would it work?
Would it matter?
It may sound a little silly to ask but consider that banks do something like this when it comes to financial transactions. Banks use eventual consistency to maintain financial records. They are not ACID compliant. It is possible to overdraw your account if you do it in a manner that beats out the eventually consistent implementation they use. It is the only way to maintain the scale that they require. The position of the banks is that IF a circumstance occurs where there is a discrepancy in bank records it costs them less to fix the issue than to prevent it in the first place.
Likewise, Amazon allows items to be sold when they aren’t sure about stock (just look at a recent purchase of mine). Their presumption, presumptively, is that it will cost them more to ensure completely accurate inventory management than to send an apology letter to a waiting customer. Is there a correlation in software development when it comes to security?
I don’t have any answers ATM, and it may be that any implementation may end up being more costly than prevention (my current thought is that it is). I’m just thinking out loud and wondering if anyone else has given though to this.