What is it that makes security hard?

I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?” or my favorite variant, “what the heck keeps you interested in security when it seems you’re fighting a ‘no-win’ battle?”
First, there is little agreement around what constitutes a “security bug” so I’ll leave that subject for another day!
Next, I’m no expert on the science behind reliability or scalability, so I’ll take it at face value that when people say these issues are “understood and solvable” and they are being honest.

So what is it that makes security hard?

It’s simple:

  • Scalability and reliability issues are man-vs-machine and machines are stupid.
  • Security is man-vs-man and humans are intelligent.

This security stuff is an ongoing arms race and chess game, and each side is constantly trying to outwit the other.  We raise the bar, and the attackers then spend time trying to defeat that bar. So we raise the bar again, and so on.  With reliability and scalability, we can understand the “adversary” and that’s that. The "enemy" won’t adapt to defeat you!

To be honest, it’s this on-going intellectual battle that keeps me coming back to security, but it also means that no-one will ever build 100% secure computer products and this why we update the Security Development Lifecycle (SDL) twice a year as we learn new attack and defense techniques.