¿Qué hace difícil a la seguridad?

Michael Howard:

I’ve been asked this question numerous times, often in the guise of a question like, "why can't you guys simply fix the security problem?" or "reliability and scalability problems are understood and solvable, why can't you do the same with security?" or my favorite variant, "what the heck keeps you interested in security when it seems you're fighting a 'no-win' battle?"

...

So what is it that makes security hard?

It’s simple:

  • Scalability and reliability issues are man-vs-machine and machines are stupid.
  • Security is man-vs-man and humans are intelligent.

This security stuff is an ongoing arms race and chess game, and each side is constantly trying to outwit the other. We raise the bar, and the attackers then spend time trying to defeat that bar. So we raise the bar again, and so on. With reliability and scalability, we can understand the "adversary" and that’s that. The "enemy" won’t adapt to defeat you!

Cuánta razón tiene al decir que esta es una constante batalla entre los que intentan desarrollar software seguro y aquellos que talvez con más tiempo, dinero de por medio u otras motivaciones se dedican a encontrar vulnerabilidades.

Por tanto, es nuestra responsabilidad como desarrolladores, estar pendiente de aquellos aspectos de seguridad que se pueden presentar en nuestras aplicaciones, caso contrario estaremos en desventaja y probablemente ya hayamos perdido esta lucha sin cuartel 🙂