Why Software Remains Insecure

The enemy isn't competence or technology, but the fact that things work so well while remaining insecure

March 12, 2018

There are a million theories as to why software remains insecure after we’ve spend decades trying to solve the problem. Common reasons include:

  • the lack of will to secure things

  • the lack of vendor liability

  • the use of insecure languages

  • insufficient developer training

  • not enough security products

  • not enough security professionals

  • etc…

But there’s a far simpler and more powerful explanation, which is best demonstrated in a visualization like the one above: the existence of insecure software has so far helped society far more than it has harmed it.

Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before.

Consider the mystery solved.

These failures are likely to start, by the way, largely due to the explosion of the Internet of Things.

When we start having complete and long-lasting internet outages, companies being knocked offline for days or weeks and going out of business, and—most importantly—large numbers of people dying, then we’ll see a serious push for secure software.

We know having poor cybersecurity is tolerable—as a society—because we tolerate it—as a society.

In the meantime, quickly developed, quickly deployed, and insecure code will continue to perform miracles for human civilization, and will therefore continue to be welcomed into businesses and society.

In short, don’t expect change until we see the downsides of insecure software start to rival the benefits.

And it’s currently not even close.