Chrome security engineer and EFF alumna Chris Palmer's State of Software Security 2019 is less depressing than you might think: Palmer calls out the spread of encryption of data in transit and better signaling to users when they're using insecure connections (largely attributable to the Let's Encrypt project); and security design, better programming languages and bug-hunting are making great strides.
Palmer also identifies the rise of tech worker protests over unethical projects (drones, censorship in China, etc) as a major advance, even if you don't agree with their specific goals, saying it's "good news that our generation of engineers is growing beyond the 'I could build it, so I did; what are consequences?' mentality."
On the downside, Palmer is less bullish about the prevalence of C++ ("untenably complex and wildly unsafe"); worried about Meltdown, Spectre and related bugs; and the proliferation of scams, crapware, and stalkerware.
Missing from Palmer's analysis: the security debt created by massive silos of overcollected data in the hands of incompetent firms facing overmatched adversaries (Equifax was the beginning, not the end); the role of state vulnerability hoarding in promoting insecurity; and the growth of mandates banning working crypto from China to Australia.
Still, I see people really shipping software improvements that seemed impossible 20 or 10 or 5 years ago. We really are making progress. Here's what I want to see in 2019:
Throwing away the idea of using 'engagement' as the sole or primary metric.
Socializing policy thinking in the engineering community. It's time to put on our grown-up clothes. The stuff we do matters (otherwise we wouldn't do it, right?), and that means we need to think about and deal with the consequences.
Eroding the idea that memory-unsafety is acceptable, and shipping more software in safe languages that would previously have been written in an unsafe language. This includes not so much straight-up rewrites of existing applications (which Joel says is bad); mostly, I see piecemeal, in-place rewrites of components (like Servo), and also new applications in well-established categories (like Xi and CrosVM). New applications also give us a chance to re-think old designs, as Xi notably does (with its cross-platform, client/server, multiple-front-end design).
Socializing the value of simplicity, and throwing away complexity, at all levels: UX, languages, libraries, frameworks. In particular, nobody should start a new project in C++.
The State Of Software Security In 2019 [Chris Palmer/Noncombatant]
(via Four Short Links)