Survey of the 2019 security landscape reveals some surprising bright spots
Chrome security engineer and EFF alumna Chris Palmer's State of Software Security 2019 is less depressing than you might think: Palmer calls out the spread of encryption of data in transit and better signaling to users when they're using insecure connections (largely attributable to the Let's Encrypt project); and security design, better programming languages and bug-hunting are making great strides.
Palmer also identifies the rise of tech worker protests over unethical projects (drones, censorship in China, etc) as a major advance, even if you don't agree with their specific goals, saying it's "good news that our generation of engineers is growing beyond the 'I could build it, so I did; what are consequences?' mentality."
On the downside, Palmer is less bullish about the prevalence of C++ ("untenably complex and wildly unsafe"); worried about Meltdown, Spectre and related bugs; and the proliferation of scams, crapware, and stalkerware.
He's also in the camp that does not believe that proof-of-work provides good security and predicts dire environmental backlash against the cryptocurrencies that rely on it.
Missing from Palmer's analysis: the security debt created by massive silos of overcollected data in the hands of incompetent firms facing overmatched adversaries (Equifax was the beginning, not the end); the role of state vulnerability hoarding in promoting insecurity; and the growth of mandates banning working crypto from China to Australia.
Still, I see people really shipping software improvements that seemed impossible 20 or 10 or 5 years ago. We really are making progress. Here's what I want to see in 2019:
* Throwing away the idea of using 'engagement' as the sole or primary metric.
* Socializing policy thinking in the engineering community. It's time to put on our grown-up clothes. The stuff we do matters (otherwise we wouldn't do it, right?), and that means we need to think about and deal with the consequences. Affordances to improve web performance across the board: a larger JavaScript standard library; performance improvements in frameworks; improvements in tooling; client-side interventions and budgets.
* Eroding the idea that memory-unsafety is acceptable, and shipping more software in safe languages that would previously have been written in an unsafe language. This includes not so much straight-up rewrites of existing applications (which Joel says is bad); mostly, I see piecemeal, in-place rewrites of components (like Servo), and also new applications in well-established categories (like Xi and CrosVM). New applications also give us a chance to re-think old designs, as Xi notably does (with its cross-platform, client/server, multiple-front-end design).
* Socializing the value of simplicity, and throwing away complexity, at all levels: UX, languages, libraries, frameworks. In particular, nobody should start a new project in C++.
The State Of Software Security In 2019 [Chris Palmer/Noncombatant]
(via Four Short Links)