"Security Is Our Top Priority" is BS

A couple of years ago I was asked to give a conference talk about software security. Well, actually I wasn't really asked, my company bought a sponsorship package with a speaker slot and I replied to the internal email asking for volunteers ðŸ¤£ Anyway, while preparing my talk, I realized a couple of important points about security that have not left my mind since:

  1. Security is limitless. You can always spend more effort to make things more secure. The same goes for quality, safety, employee happiness, etc.

  2. The needs of security are opposed to the needs of a convenient user experience. Improving one typically hurts the other.
Now some organizations say "Security is our #1 priority". Really? You want to make something that has no limits your number one priority? I mean security is a good thing, but this seems a bit too simple? In fact, hollow marketing claims like that can make me a bit angry. In this post I'll help you understand what to make of statements like that, and how to deal with security in real life. I'll cover:
  • A philosophical intro
  • What does "Security is our #1 priority" actually mean?
  • How far should you take security?
  • What should companies say instead?

A philosophical intro to help our thinking

The limitless nature of security and the balancing with user experience (UX) reminded me of something. I had to stop and think for a bit, but then I remembered. When I was about 19 or 20 I discovered GK Chesterton. I loved him as he made me see there were actually formidable Christian thinkers, and in my sort-of evangelical background there weren't many of those. Unfortunately for what 20 year old me would have liked, and despite Chesterton, my personal faith didn't survive, but I did still learn a lot from his writing that I appreciate to this day. Here's one quote that relates to this topic:
“The modern world is not evil; in some ways the modern world is far too good. It is full of wild and wasted virtues. When a religious scheme is shattered (as Christianity was shattered at the Reformation), it is not merely the vices that are let loose. The vices are, indeed, let loose, and they wander and do damage. But the virtues are let loose also; and the virtues wander more wildly, and the virtues do more terrible damage. The modern world is full of the old Christian virtues gone mad. The virtues have gone mad because they have been isolated from each other and are wandering alone. Thus some scientists care for truth; and their truth is pitiless. Thus some humanitarians only care for pity; and their pity (I am sorry to say) is often untruthful.” - GK Chesterton, Orthodoxy, 1908

What Chesterton is saying is that good things (virtues) can become bad if they are going too far or without including other good things. Seems like a no-brainer, and it is. But once you grasp this pattern you see it happening all the time. In this blog post it's about security freaks that forget about UX, but it's the same in our political world. Some people take DEI so far that they vilify white men. Some people take family values so far that they make others feel like misfits. Both family values and inclusivity are good things, but taken apart they can lead to extremes and can foster polarizing between the groups.

So what we need is a healthy mix between all the good things, without letting one become extreme and neglecting the others. This isn't easy! If you're a security extremist, and you still get hacked, at least you can say you did everything in your power to make it more secure. On the other hand, suppose you have balanced UX and Security and you took some decisions to make things less secure but for a better UX. You get hacked. How do you justify that? Saying "Reality is complex and we took a decision to prioritize UX in this case" is not a good soundbite. It takes guts to defend non-extremist positions, because the extremists will always have more powerful one-liners.

What does "Security is our #1 priority" really mean?

Is Security actually limitless? I think yes. In fact the safest way a bank can operate is to shut down their online presence, buy a big vault and put a small army outside the door. Even then, the amount of security checks and the size of the army can be increased infinitely. However, most people will prefer to send money using FaceId on their banking app and think that that security is good enough.

And do companies actually say this? Yes. Here's Microsoft "Prioritizing Security Above All Else", AWS "Cloud security at AWS is the highest priority", Meta "Safeguarding your data is our highest priority" and there are many more.

It sounds nice, but does this in practice mean that whenever anyone has an idea to improve security, at the expense of UX, consumer prices, etc, you still implement it? Because that is what it sounds like. Of course the answer is no, so I'm not taking the statements too seriously, although I understand it gives your customers a warm fuzzy feeling. I'd prefer organizations to be honest and clear, but I can only dream about a world where this is true.

In reality these companies mean something like:
"We have a balanced framework of priorities, we categorize issues and give each a weighed score. We give UX issues 20%, security 25%, tech debt 10%, new features 20%, etc.. As you can see risk is the number 1 priority because 25% is higher than 20%."
Or maybe they mean:
"Security (to a level that is the norm in our industry) is our number #1 priority. Once we have implemented enough we focus on other issues."
If you have examples of completely honest security statements like "we care about security because we need you to trust us, and therefore it's on of our top priorities" I'd be very interested. Please comment!

How far should you take security?

When I gave the talk in 2018, where to actually draw the line was still a mystery to me. Having worked with risk frameworks like ISO 14971 and ISO 27001 since then, I now have some tools in my belt to help me deal with this.

It all starts with a scoring mechanism: figure out what do we have that needs to be protected, what risks are there and how likely / severe are the risks. You multiply the likeliness and severity and you get a risk number for each risk that you can map to low, medium, high.
  • If the risk number is low you can safely accept the risk.
  • If it is medium you should consider risk controls unless justified.
  • If high you must implement risk controls.
Then once the risk controls are in place, verify that they actually mitigate the risks and if the remaining risks are now low or non-existent. Then you are done.

Sounds simple, but where do we put the line of low, medium, high? I always put some decision makers together, give examples of things that could go wrong and ask them to come up with a scoring system. Then ask what kind of risks they are willing to accept, considering what the product or proces would like like with a risk control applied.

This simple scoring system has a risk matrix, a risk appetite / risk acceptance policy, and a risk inventory. It's a simple tool that can help you make decisions.

What should we say instead?

The entire world has been handling safety, quality and security in a grown-up manner for decades. Let's promote the companies that do that without saying it's their top priority. It's a meaningless statement.

In my ideal world, companies would say "We maintain a state of the art security system, because without our customer's trust we would have no right to exist as a company. As such, it is one of the most important things we work on and we spend a large amount of our effort on it.". Probably doesn't sound as good to most people, but companies that say this would certainly score points with me.

Have good examples of honest security statements? Comment on HN.

Comments

  1. Google’s security stance is more aggressive than most places I’ve heard about and I don’t remember any silly statements on the matter. I’ve scanned https://cloud.google.com/docs/security/overview/whitepaper and didn’t spot any mismatch with reality either. OTOH didn’t find a short balanced sound bite.

    ReplyDelete

Post a Comment

Popular posts from this blog

AI programming tools should be added to the Joel Test

The unreasonable effectiveness of i3, or: ten years of a boring desktop environment