Jiri’s Notepad

People are complaining about bad security and are coming up with various recipes for fixing the situation ranging from using new widgets to setting and enforcing policies to educating developers to my favourite ‘comprehensive approach’. Unfortunately, the suggestions, although helpful in theory, have a zero chance practice, for the simple reason that they ignore realities of delivering software projects.

In ideal world, people would have the right skills, deadlines would be realistic and staffing appropriate. In reality many projects are understaffed, people skills and experience is not infinite, deadlines challenging to unrealistic and technology fiendishly complex. If there ever was a hope to fix that, organisational politics, dynamics of market competitiveness, external crises and a host of other factors [Yourdon, 2003] ensures us that these realities will remain.

So the question of ‘how not to have poor security’ should really be rephrased into ‘how to have acceptable security, which would be improvable, considering human fallibility and imperfection of the software delivery process’.