Bootstrapping security
August 21st, 2002 by jiri
Mark is contemplaiting mobile Internet and draws some conclusions about security and general usefulness of technology. Appying those two to web services, he says:
“The lessons here for Web Services are: (1) Security shouldn’t be an afterthought.(2) Equally, don’t hype a technology based on the technology alone“
Let’s spare some thoughts on the first one. From what I see around I would say that, there’s a clash between the requirement of making security an integral part of the technology and commercial pressures. High-tech market functioning so far has been that whoever comes first with a new product, locks-in the customers and grabs the biggest market share. Therefore short time-to-market is the best friend of technology businessperson. Doing security properly requires extra time and money that don’t translate into anything visible to the user and so for apparent reasons, the same time-to-market is the enemy of security engineer.
Of course, that’s a short term perspective. To describe long-term cycle of build-up and adoption of technology, Dave Winer uses metahphor of bootstrapping or layered adoption of technology components. To start with bootstrapping, you need something functioning, not necessarily something secure. I’m sorry, bootstrapping is also not a friend of security engineer.
Everybody probably heard more than enough about outputs of time-market pressures for major products and difficulty of making new versions to be backward compatible and secure at the same time. On the other hand, it is not hard to come up with examples of projects that failed because of overengineered security. And some of these failures must have been quite spectacular.
What will the future hold? I think that the business side needs to find out viable approach, that would think the security through from the beginning, but would deploy it as the technology gets bootstrapped. I am painfully aware that this idea probably has many catches. Still many questions remain. Is this possible? Does the current wave of open standards means that the nature of high-tech markets has changed? Or is everything just another play of clever business strategy, marketing and PR? Not simple answers, I’m afraid.