Today was a
very exciting day. There was an attempt to break into our apartment in the
middle of the day. Nobody was at home, so my wife found our apartment door seriously
damaged by some when she came home. Luckily, the burglary couldn’t be finished
for some reason and the burglar didn’t manage to break in.
My wife
called me in the office and told me about the incident. I thought, “Well, that’s
why we have this super-extra-nimbus2000-fire-proof-breach-intrusion-proof door.”
I knew we wouldn’t have to worry about such things very much.
I rushed
home immediately. The investigating police officer told me that we were very
lucky. The burglar must have been disrupted for some reason because the door was
nearly completely breached. Only some more hits to the door and the housebreaker
would have succeeded. The officer told me that today another attempt at an apartment
in the same block has been successful. The door of this apartment was the same
type of door as we have. Suddenly there was a strange uncomfortable feeling in
my stomach. It wasn’t the door that helped us but pure luck.
Later that
day I had an interesting conversation with the carpenter who fixed the damaged
door. He said that no sane door manufacturer would sell 100% intrusion-proof
doors. Because there is no such thing. I asked him what I could do to prevent a
burglary. He smiled and said “Not much, really. One can only secure the apartment
to some degree and pray.”
What does that
have to do with software development?
As with the
door there is only limited chance to secure an application. I think with enough
criminal energy there is always a way to break into applications and do harm.
Interestingly, there were some good discussions in our development team about
this topic this week. We were discussing ways on how to further improve the
security of our banking app we are working on. We came up with some pretty good
ideas. But none of them were perfect.
We came to the conclusion that there is no such thing as perfect security. Do
the best you can to improve security in your app. There are some very good ways
to do this but the cost of the implementation must be justified.
Unfortunately
you can’t prevent misuse when the users put there passwords on sticky notes and
attach them to their monitor.