IT don’t come easy

Currently in the news, as I write this: the personal data of nearly all American voters was accidentally leaked by Deep Root Analytics, a conservative marketing firm employed by the Republican party, specializing in targeting political ads.

It is only the latest (and largest) in a seemingly endless stream of stories about accidental leaks of sensitive data online.

It isn’t that computer security is hard – at least, not compared with other kinds of engineering challenges, such as building a bridge that won’t fall down. Paradoxically, the problem is that programming is so easy.

Never mind that programmers often get called “wizard” and “genius” – that’s only occasionally true. The fact is that most programming is dead easy. Indeed the ease of creating working software is the very reason for the technology revolution we’ve been living through these past few decades. Remember when HTML was new and suddenly everyone and their dog had a web page because it was so easy? Programming is like that, but for making machines do useful work.

Not all programming is easy of course. Some of it is quite tricky – like computer security. But because so much of the rest of programming is so easy, most software engineers never develop the habits of rigor and precision that in other fields are simply the price of admission. The result: incompletely tested code full of exploits, best practices not followed and oftentimes not even known about, and your personal data and mine secured by the digital equivalent of Barney Fife.