Whose fault is it when data is stolen? It’s rarely blamed on the programmers.
If a company executive leaves a laptop filled with confidential data in a taxicab, you probably wouldn’t blame a software developer. Instead, you’d presumably ask, why was that data on the laptop to begin with? I’ve often wondered why corporate executives have access to customer card information in the first place, and why security policies allowed such data to be downloaded to any end device, especially a not-locked-down laptop. But you wouldn’t blame the programmers.
If an unencrypted data backup tape disappears en route to a secure offsite facility, you’d yell at a sys admin, not at a C++ coder. “Why wasn’t the data encrypted?” you’d want to know. “How could it be written in plain text?” That’s the fault of the backup software, or again, security policies—not the programmer who wrote the applications whose data is being backed up.
Now, whom do you blame when hackers violate credit-card terminals? My family’s local grocery store—a Lucky store in Millbrae, Calif.—was recently penetrated by so-called skimmers, who tampered with in-store card readers and grabbed up to 500 customers’ credit card numbers. As far as we can tell, our credit card wasn’t compromised, but you can trust that we’ll be scrutinizing the Visa bill extra closely from now on.
Certainly you can blame Lucky for not ensuring the physical security of those devices. But what about the back-end programmers for the grocery chain? How about the embedded developers of the card reader’s firmware? Or how about any number of applications that were involved, from the credit-card clearinghouse to the bank? Could programmers be in any way responsible? Could they have done something, anything, to prevent this incident?
The reality is, well, no. It’s unlikely, especially since the devices were physically tampered with. But even so, it’s impossible for programmers to anticipate every possible scenario, or to model every type of threat to a complex web of applications developed by many companies, and administered by many companies.
Just as no series of locks and alarms can truly prevent a home from being targeted and robbed by criminals—or burned down by arsonists—there’s an increasing awareness that there’s nothing that developers can do to protect today’s modern interconnected application 100%. But that doesn’t mean that we shouldn’t try.
Alan Zeichick is editorial director of SD Times. Read his blog at ztrek.blogspot.com.