A Horse’s Rump and Cybersecurity

In many fields, people balance safety and security with time and money.
Sometimes time and money are favored too much and things go wrong. For example,
the Boeing 737 MAX was a design adapted from existing Boeing 737’s, which saved
on costs. The earlier model was lower to the ground so it could support stairs
from the ground, a relic of older airports. As this boarding method is no
longer used, the engines were moved slightly, and the software and sensors that
were changed because of this physical change failed and seemed to cause many
crashes.

In software, there is a similar situation where safety or security is traded
for cost. For example, buffer overflow attacks, which are a very common
vulnerability or part of a vulnerability, are common with stacks that grow
downwards, which is a relic of PDP-11 architecture from the 1970s. Developers
didn’t switch to stacks growing upwards because it would have been harder to
implement, and as people learned this standard in schools it stuck. Adding
safety slowed down programs, so even though there were options, they were not
widely accepted.

There are many other examples where developers choose cost savings over
security and safety, and often these past decisions propagate into future
software. However, the alternative of rebuilding from scratch doesn’t always
solve the issue. For example, HP fax machines wrote their own JPEG image
handling library instead of using an existing one, and it was vulnerable to
attack. It depends on the situation which strategy will be better, and
developers should be careful in what they reuse, and understand the assumptions
prior software was built with.