Security by Incentives

Thursday, February 24, 2005

Of all ideologies, the ideology of security is the most unforgiving one, unlimited in its consequences due to its utopic, absolutist nature. As Bruce Schneier said, When you put the police in charge of security, the trade-offs they make result in measures that resemble a police state.

Of course the security scare has long infected software development as well. According to a DevX article discussing who's to blame for vulnerabilities in software:

• 99 percent of developers want to write secure code.
• Oracle cancels bonuses and stock options for entire teams if their code fails security audits.

Something doesn't add up here. How, exactly, is motivation supposed to work? The corporation is scared by attacks, so we try to bully developers?

So perhaps the moral of the story is that incentives are nothing but an utterly dilbertesque form of bullshitty Ersatz management. As employees, we should ignore the bonus, and focus on overrunning those buffers some more.