Jia Tan and XZ. Malware and polyfill.io. Social Security numbers and National Public Data. These are just the most obvious catastrophic failures in the last few months, and those don’t even count Channel Files and CrowdStrike.
It begs the questions: Is software security futile? Are we endeavoring on a Sisyphean effort that is destined to fail?
No, software security is not a futile effort, but it has become more complex. Concepts such as defense in depth and vulnerability analysis have grown from an attack surface of one or two applications to hundreds, or even thousands, of dependencies, each with their own vulnerabilities. Application stacks have grown from a few simple layers to complex webs of opaque compute nodes and orchestration architectures.
Many times, we don’t have control over all those factors, but we do have control over the software that we ship and how we harden that software.