Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Jean Yang, SM ’10, PhD ’15

The Real Software Security Problem Is Us

The only reason our online life is insecure is that we let it happen.

  • June 22, 2015

A colleague recently described a fun Friday night for his teenage son: staying home and chatting online. Every now and then there’s a party where all his friends talk on their laptops.

We’re getting more and more used to living in such virtual spaces—yet there’s an important distinction to be made between virtual spaces and the actual physical spaces we walk around in. We usually expect that we can walk across a bridge or into a building without the structure collapsing. We don’t have that kind of confidence with software programs.

Believe it not, we could, in the not-so-distant future, actually live in a world where software doesn’t randomly and catastrophically fail. Our software systems could withstand attacks. Our private social media and health data could be seen only by those with permission to see it. All we need are the right fixes.

The problem with modern software is that we’ve been building our “skyscrapers” with the same materials and techniques used to build huts. Software began as a collection of bricks: simple procedures, sequences of commands for calculations, games, and curiosities. Decades later, we have millions of procedures interacting with each other on interconnected machines with access to all kinds of secret information. Yet we’re still using similar languages and tools.

If we want our systems to have fewer vulnerabilities, we need to use better building materials. The languages people use today make it too easy for the programmer to make mistakes, and they make it too hard to detect the mistakes.

A better way would be to use languages that provide the guarantees we need. The Heartbleed vulnerability happened because someone forgot to check that a chunk of memory ended where it was supposed to. This could only happen in a programming language where the programmer is responsible for managing memory. So why not use languages that manage memory automatically? Why not make the programming languages do the heavy lifting?

Another way would be to make software easier to analyze. Facebook had so much trouble making sense of the software it used that it created Hack and Flow, annotated versions of PHP and Javascript, to make the two languages more comprehensible.

This is partly our own fault. We find online life fun, so we tend to let sites do whatever they want with our personal data. Software companies respond by churning out new features as quickly as possible, using the most convenient materials and tools at the expense of security.

Change won’t happen until we demand that it happens. Our software could be as well-constructed and reliable as our buildings. To make that happen, we all need to value technical soundness over novelty. It’s up to us to make online life is as safe as it is enjoyable.

Jean Yang is an assistant professor of computer science at Carnegie Mellon University, and the cofounder of Cybersecurity Factory, an accelerator focused on software security.

Want to go ad free? No ad blockers needed.

Become an Insider
Already an Insider? Log in.
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Online Only.
  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.