“The Heartbleed problem can be blamed on complexity; all Internet standards become festooned with complicating option sets that no one person can know in their entirety. The Heartbleed problem can be blamed on insufficient investment; safety review for open source code is rarely funded, nor sustainable when it is. The Heartbleed problem can be blamed on poor planning; wide deployment within critical functions but without any repair regime.”
Quote is from Dr. Dan Geer’s must-read “Heartbleed as Metaphor” article on Lawfare. Brilliant examination of the true lessons we need to learn from this software exploit’s ‘success’, in order to best prepare for the next common-mode failure. Another quote worth sharing (but I still recommend reading the article in its entirety):
The critical infrastructure’s monoculture problem, and hence its exposure to common mode risk, is now small devices and the chips which run them. As the monocultures build, they do so in ever more pervasive, ever smaller packages, in ever less noticeable roles. The avenues to common mode failure proliferate.
Thanks to common-mode proliferation, we don’t have the luxury of worrying about If something will happen any longer – it’s now just a matter of When.