The dark side of institutional death

Jan 28, 2022 Tags: #security #musings #asymmetry-series

In thinking about asymmetry in security engineering versus regular software engineering, there’s one thing I bump into over and over again.

Standards and progressing the security baseline via standards. Every standard is an equilibrium of different requirements against functional goals of thing being standardized. Here’s a good post that points out how, frequently, inefficient equilibriums in standards are outdated:

Institutional death, autophagia, institutional senescence (https://250bpm.com/blog:160/) allows us to default on inefficient equilibriums and unblock moving forward.

I believe it’s often hapenning already, and it’s not always a good thing. Think JSON / XML. Or any other “next generation” technology, that wipes out previous one.

There are some limitations and they are very relevant in security context:

  1. Security is a science of understanding how things fail, in a way. “Failure memory” has unparalleled value for building new stuff securely. Institutional death removes memory of failure along with those who failed. Solutions to problems could be irrelevant at a time, but relevant later.
  2. Some institutional senescence obliterates knowledge that makes up this failure memory. Some of it is quite unique. Is Sun’s institutional knowledge of OS design so much irrelevant in the world where container (first appeared in Sun’s operating systems) becomes dominant form of application isolation?
  3. Institutional death makes us re-invent the wheel with certain fitness criterias in mind. And as new people gather together to identify new standard way X(N+1) of doing X, the focus on a small subset of what was wrong with X(N). Fitness criteria include main pain points, not the whole picture.

Think XML and what came to replace it? Think JOSE and what it replaces?

There is a knee-jerk reaction of “worse is better” mantra, even in me. But worse is better until it’s actually way worse. Couple “worse is better” with “institutional death” and we stay in constant circle of self-repeating reinvention.

What happens is that if institutional death removes previous people (with their failure experiences), focuses on building X(N+1) way with limited set of priorities, security stays outside the process and still keeps being chase-and-catch game for defenders. Who exist in their own mental space and are likely to keep the knowledge convenient to their way of doing things.

And the asymmetry what I’m writing about for a while now - only gets worse. Without better.