Shame and security

Our response to another dev community's vulnerabilities says more about our personal insecurity than it does about their code's insecurity.

Full-stack web developers are generally a smart bunch—some exceptionally so, especially when you consider the increasing amount of complexity that must be navigated to build a modern web application.

Developers are universally defensive about the security of their code—and even moreso, their chosen tools.

Over the past year, there have been widely publicized vulnerabilities in Rails and Ruby. We've admittedly seen developers in other communities point and laugh. In turn, the Node ecosystem has seen its share of vulnerabilities, including one that a couple evenings ago generated a prominent Twitter dustup between leading developers in different communities (which I'm intentionally not going to link to).

The security of a platform eventually becomes a running joke to everyone who doesn't use it. Being able to point at the so-called "failures" of others helps us justify the choices we make.

Because we ourselves are insecure.

We are afraid. And by pointing and laughing when others fall, we are gathering our arsenal for the coming time when we, too, will be shamed for introducing a vulnerability.

Yes, it's shame.

Physical comedy and pratfalls are one of the most universal forms of humor. It doesn't matter if you understand the language or the culture, watching someone take a huge fall slipping on a banana peel or spill an entire soda on their pants makes us immediately laugh.

That response is completely human—we are laughing that it's someone else who is experiencing the embarrassment we know that we are also capable of experiencing. It's relief.

Relief that it's not us.

Whether you are a developer building new things or one maintaining aging systems, part of your job is to write bugs and vulnerabilities.

No doubt, that's a crass and disrespectful way to put it—no one wants to write bugs, let alone security vulnerabilities. But the fact is a moving target;even if the vulnerability in the code you're writing isn't revealed for years and not until some big 0day drops, it's still eventually insecure.

So I get really depressed seeing the point-and-laugh about security between different software communities.

Are we in high school? Is this Sharks vs. Jets in some stupid gang fight? Put down the spitballs, people, and stop depantsing each other.

Web development across the board needs to culturally evolve to the place where (1) there's no shame in an honest vulnerability, and (2) we have mature and respectful ways to report, address, and disclose vulnerabilities.

Shame should be reserved for unproductive name-calling and defensive reactions.

Security matters—and it matters now more than ever. With corporations selling vulnerabilities in their software to the goverment, and a well-established black market buying and selling 0days for our software, can we stop with the cycle of smug finger-pointing, name-calling, and shaming in the open source community?

Node developers and Rails developers are different—but we're probably as close to each other as any other developer communities out there. Which is the entire reason for so much heightened vitriol between the two communities when a vulnerability is revealed. (See Freud's "narcissim of small differences".)

Even if we hate how they cut his grass or educate their kids, it's not funny when our next door neighbors' house is left unlocked and vandals are told about it.

And when a vulnerability is identified in our neighbors' software platform, there's no reason to point and laugh.

It should instead inspire us to ask:

  • "Where is it possible I'm already owned, but just don't know it yet?"
  • "How can we respond better, faster, next time?"
  • "How can we provide support and education?"
  • "What are the blind spots in the way our community thinks about security?"
  • "Where can we learn from other communities?"
  • "How can we solve the overwhelming problem of the fact that our top open source producers completely lack the time and passion to maintain their aging projects?"

Thinking this way about all of the above is what Adam Baldwin has been teaching our team at &yet over the past five years.

This is what I love about The Node Security Project—and why I have such respect for Adam: he's taking this show on the road.

You might also enjoy reading:

Blog Archives: