The Book of Ryan

Chris Palmer writing for the EFF:

In my own private-sector security industry work, I observed a pattern: the higher the stakes, the worse the security. “Worse” usually means “more easily resolved with known techniques”. I evaluated a wide range of applications and platforms, and almost invariably found that the most important systems — those managing life, health, and money — were poorly engineered. By contrast, small startups doing something interesting but not (yet) critical would sometimes have very well-engineered systems, with entire classes of vulnerability designed away, minimal feature creep, and solid development practices reducing the risk of accidental implementation flaws. I suspect the reason for this pattern is that organizations that handle life, health, and money do not think of themselves as software engineering organizations, and so seek to minimize engineering costs. Additionally, engineering-driven companies tend to be disruptive newbies who have not yet made a big enough impact on the market to control much important information.

Fascinating.