-
A slanted look at McCain’s record. But it does expose some interesting angles–his service record in particular–that you don’t hear about very often.
-
Interesting balanced summary of articles on Obama and McCain in the NYT. Worth noting is the greater volume of articles digging into Obama than McCain.
-
McCain’s health care plan will be balanced by cutting Medicare. Anyone want to do the next Florida poll?
-
Moving right along. Looks like the old Dobie is history after this year.
-
The use and misuse of language, and the disdain for language, in this election year are more explicit than they’ve been for many a year.
-
Good read regarding the history and changing symbolism of the Lincoln Memorial.
Day: October 6, 2008
Technical Debt part II: Security debt
I wrote previously about “technical debt,” the concept that the decision to defer necessary technical work (adopting an updated version of a new component, refactoring code to reduce cruft, etc.) accumulates across releases until it absorbs a project team’s entire capability to develop code. You “pay interest” on technical debt because it’s much harder and consumes many more resources to make a necessary technical change the further downstream you get from the point where the change becomes necessary.
It occured to me today that there’s a specific flavor of technical debt, security debt, that is both more insidious and much easier to see in operation, because we have so many prominent examples of it. It might not have cost the developers of Windows too much more to make the OS more secure at design time, but some of the decisions were deferred, until the point where you had whole features introduced to address security deficiencies in prior features, and the six month long security push that postponed Vista’s launch while the team took care of outstanding security issues in the already-shipped version of the OS.
What’s interesting about security debt to me is that it balloons over time. My once-favorite mix sharing site, Art of the Mix, is a good example. The guy who developed it didn’t really understand SQL injection or XSS, or at least didn’t code defensively against them, and it’s become a hive of malware as a result–and is now flagged as a “reported attack site” and blocked by Firefox 3. So, to carry the metaphor to its logical conclusion, the site’s security debt drove it into a kind of “bankruptcy” when it proved susceptible to drive-by SQL injection attacks.
So how do you avoid incurring security debt? Learning good development practices is a good start; keeping up on the prevalent attacks–the current risk space–is another. But there’s one key thing to remember about security debt: in many cases fixing the underlying flaw that permits exploitation is far far cheaper than getting hacked, or even putting bandaids like web application firewalls in place.