Why is Application Security so Elusive?

Consumer and business products that we use every day — calculators, lawnmowers, stoves — are very robust and meet or even exceed industry and legal standards. And, although they might fail from time to time, I remain comfortable using them.

So why then does software lag in terms of overall quality compared to these devices? Why don’t we use a comparable quality assurance model for software so that we can relish in the thrill of having applications that aren’t fragile when put into production?

The reasons are many, but two of the primary ones are:

  • People don’t consider (or even know about) all the aspects of software quality.
  • Application reliability and security expertise is a rare and valuable commodity.

    Using the familiar framework, the food pyramid, allow me to discuss why security and reliability defects persistently exist.

    I won’t bore you with lots of analogous statements to the food chart because at a micro level, comparing software applications to cuisine is like, well, comparing apples to oranges (pun intended).

    However, at a conceptual level, this proposed software quality pyramid and the food-group pyramid are similar because both are designed to set guidelines for the general population looking for a well-balanced approach and they are de-facto categories set by independent assessors for the betterment of their respective industries.

    Let’s start at the bottom where you have your compulsories — your breads and cereals. These are heavily abundant and the lion’s share of recommended daily intake.

    As you work your way up through the fruits, vegetable and meats and finally to dairy, the recommended allowance changes based on a meaningful algorithm of value to the body.

    Some are healthier than the others; some are much harder to live without; some are more difficult to obtain because of cost or accessibility. Regardless, the significance remains the same: the food chart is a pyramid because all food is not created equal, and finding the proper balance is critical.

    Software quality is no different. However many software teams have chosen to eliminate security from their process for building and deploying reliable and secure products.

    The application quality stack (Fig. 1) groups five aspects of software quality in a hierarchy based on several factors. Continue to think of it as a software quality food chart, a general guideline for good software quality intake with five basic components: functionality, system test, performance, reliability and, the elusive, security.

    Figure 1: The Application Quality Stack