In thinking about asymmetry in security engineering versus regular software engineering, there’s one thing I bump into over and over again.
Standards and progressing the security baseline via standards. Every standard is an equilibrium of different requirements against functional goals of thing being standardized. Here’s a good post that points out how, frequently, inefficient equilibriums in standards are outdated:
Institutional death, autophagia, institutional senescence (https://250bpm.com/blog:160/) allows us to default on inefficient equilibriums and unblock moving forward.
I believe it’s often hapenning already, and it’s not always a good thing. Think JSON / XML. Or any other “next generation” technology, that wipes out previous one.
There are some limitations and they are very relevant in security context:
Think XML and what came to replace it? Think JOSE and what it replaces?
There is a knee-jerk reaction of “worse is better” mantra, even in me. But worse is better until it’s actually way worse. Couple “worse is better” with “institutional death” and we stay in constant circle of self-repeating reinvention.
What happens is that if institutional death removes previous people (with their failure experiences), focuses on building X(N+1) way with limited set of priorities, security stays outside the process and still keeps being chase-and-catch game for defenders. Who exist in their own mental space and are likely to keep the knowledge convenient to their way of doing things.
And the asymmetry what I’m writing about for a while now - only gets worse. Without better.