By this time you read this, you will already heard about the latest security outbreak called ‘Bleeding Heart’. Don’t worry, we are not going to discuss the vulnerability in the OpenSSL code as that has been well covered in the media already. Rather, we’d like to draw your attention to commonalities between this outbreak, and… the Pine Beetle. As our world is slowly coming to terms with (and proven many times, even in the past few months), it is impossible to build a truly secure system. Between NSA, hackers, your employees, careless coding, and a whole host of other reason, someone is bound to get in.
What’s makes vulnerabilities so much easier to exploit, is the wide adoption of the same technology. Remember the Nimda virus (if you don’t, Google it)? In a matter of minutes, the Nimba virus spread around the world. How? It targeted any machine with a Windows operating system (and what’s the chances of finding one of those?!). Of course, as a result Microsoft became a very easy target for everybody to mock; especially by people within the open source community. But this time, it was open source technology that, left unpatched for two years, allowed anybody to read information from a secure server.
There’s not point in arguing over whether to use a proprietary or open source software. Security is not a valid argument. What we should be focusing on instead, is to build resilient systems, rich in diversity. It would serve us well to take a lesson from nature. An rich ecosystem is high in diversity; it is this diversity that creates the optimal environment to defend against outside threats. If you have a monoculture forest, one beetle is all it will take to wipe it out. In the same way, if all your systems are running on the same platform, one attack or virus is all that is required to take it down.
What you may have saved on licensing, development, implementation and maintenance is instantly gone; typically, the losses extend far beyond the technology investment alone.
Rarely do systems architects even consider the possibility of these risks when designing a new system; while in fact, assessing vulnerability risk should be a key criteria in the equation.