Complexity vs. Security

Yesterday, Ronald van den Heetkamp wrote a blog entry entitled "Simplicity" in which he points out that in the long run applications can only stay secure if they keep a certain degree of simplicity because developers would otherwise loose sight the more the complexity of an application grows.

I think on that matter Ronald is perfectly right but now the remaining question is how code can be kept simple and secure in a Web 2.0 world where new technologies, ideas and features become public on a regulary basis. I do not think we can achieve security by simplicity in the sense of removing unnecessary technology. Thats what Ronald essentially means in the very beginning when he talks about application darwinism.

In my view that comparison is somehow flawed because as far as technology is concerned we will probably never experience a decline. It is rather the opposite.

So, I personally see the future for both simplicity and security only in frameworks. When using such, most software developers intention might be to have a well designed, well performing and well working application. However at the same time applications are likely to become much more secure since development frameworks we have today pay more and more attention on that.

For instance as a PHP developer working with the Zend Framework it becomes very easy and comfortable to prevent most common vulnerabilities such as Cross Site Scripting, SQL Injection or Remote File Inclusion.

Consider this as my two cents. I see Jeremiah Grossman having had the same thought back in 2006 and I would like to finish with his words:

When developers find that its WAY easier and WAY better to do RIGHT by security, then we'll get somewhere.