Gânduri Eclectice – Eclectic Thoughts

I heard this phrase at the București Cybersecurity Conference 2024. Maybe it’s the (possibly slightly unusual) way my mind works, but it instantly made perfect sense to me, and now seems like an obvious thing to tell people.

So many projects only set their sights on the dessert: sweet tasty new features that make them look good. But that’s not a balanced diet. It requires neither a nutritionist nor a rocket scientist to tell you that this isn’t going to end well, especially in the long term.

• Why do so many systems I see have so much technical debt?
• Why are so many systems I see riddled with unfixed vulnerabilities?
• Why are so many systems I see not patched up-to-date?
• Why is the excuse I get so often along the lines of “we don’t have time to fix that” or “the new release must be out by ${date}” or similar?
• Why have I found systems with vulnerabilities scoring CVSS > 9.0 that have been known about for MULTIPLE YEARS?

The answer, my friend, is blowin’ in the wind.

Eat your security vegetables. Make the time. Your system will be much healthier for it, even if some of the shiny new features take longer. In the long-term, your system will be easier to maintain and develop, so adding new features will be quicker anyway.

I’ve seen many projects where a good 10% of the development effort needs to be allocated to the security vegetables. These are systems in reasonably good shape. But they won’t stay that way without care.

Others need, for the time it takes to get them into reasonably good shape, at least 25% or more of the effort allocated for this. Avoid having to have THIS conversation with senior managers by making sure that the technical debt is not allowed to build up in the first place.

Eat your security vegetables. That’s it.