In an era of rising security concerns and increasing technological complexity, it’s important to take a step back and appreciate the fact that some of the most important parts of information technology come down to completely boring things like maintenance. Just because they’re boring doesn’t mean they’re unimportant.
We live in a world where new ideas get way more attention than old ones do.
It’s just a fact of life, and it has the effect of burying the stuff that really matters. Startups don’t show up on the front page of Product Hunt for slightly smoothing over or properly maintaining an existing process. The work of the developers and engineers we celebrate is often in the realm of the experimental or the inventive.
And yes, there is more room for innovation. There is lots more room for it, in fact. But it can’t come at the cost of basic maintenance of the things that simply must be there.
In a year that started with the Cloudflare-affecting security flaw Cloudbleed, that was punctuated by the ransomware attacks like WannaCry and Petya, defined by the Equifax data breach that affected a solid portion of the U.S. population, and finally bookended by the rumblings of what’s already promising to be this year’s banner cybersecurity story—the discovery of Meltdown and Spectre, formally announced during the first week of 2018—the Alliance clearly had a lot to cover in its report.
“Surprising no one, 2017 marked another ‘worst year ever’ in personal data breaches and cyber incidents around the world,” the latest Cyber Incident & Breach Trends Report [PDF] stated. “Attacks involving data theft, ransomware takeovers, business email compromise (BEC) for financial or credential theft and infiltration of Internet of Things (IoT) connected devices hit organizations both large and small.”
OTA noted a stark 159,700 total incidents last year, 93 percent of which were technically preventable. The costs of these incidents were stark too—ransomware alone cost businesses $5 billion last year, according to statistics from Cybersecurity Ventures.
The reason why so many “preventable” incidents proved so troublesome? Easy—maintenance is one of those things that’s easy to forget about or downplay in favor of the “Next Big Thing.”
A recent TechCrunch piece I stumbled upon made this point effectively with its hilarious title: “Move Slow and Break Nothing.” Author Danny Crichton’s point? We’re demanding much more of our underlying systems and not spending enough time focused on keeping them maintained—especially as those systems become increasingly reliant on the existence of other systems.
“Complex systems are ones in which changes, even small ones, can have disproportionate effects on the outcome of a system,” he wrote.
His point is totally valid—ripple effects can show up throughout the technology process, due to all the infrastructural complexities we’ve created by moving to the cloud, by relying more on third-party vendors, and by leaning heavily on a variety of nonspecific tools that show up on millions of sites.
A great example of this ripple effect in action took place two years ago, when a programmer decided to remove a number of his modules from the NPM registry for Node.js code. Unfortunately for the many programmers that rely on the Node.js runtime environment, this was bad news, as the removal of one tool, a simple programming script called left-pad that was designed to pad out the spacing of strings in code, proved unexpectedly pivotal.
The reason for the removal was one of protest: A programmer was miffed about being asked to rename a module by the popular messaging startup Kik, which claimed copyright infringement, and he took down his packages to show disapproval.
The result of the decision meant chaos for everyone else that uses NPM. This very basic piece of code was used by some of the most popular pieces of software in the NPM database as a dependency, and as a result, programmers were unable to compile software that depended on these much larger software frameworks.
Eventually, the operators of NPM took the then-unprecedented step of putting the piece of code back.
Just imagine if this unintended side effect of a legitimate protest was actually intended as malicious.
Many External Moving Parts
While not every ripple effect will be quite this dramatic, we’re in an era when every organization’s code is connected to outside resources in unpredictable, unexpected ways.
Fundamental pieces on our websites are hosted on other people’s servers—often for reasons of speed, but naturally creating security issues. Vendors may unwittingly take their eyes off the ball when cost-consciousness takes priority over speed. Open-source software, however big or small, may be deprecated by its original developer, leading to unexpected changes. Startups that make useful tools shut down, requiring the use of a replacement—and putting a hole in your budget.
And as things become more diverse, the number of potential points of failure rises to a troublesome level. TechCrunch’s Crichton notes that this problem of resourcing seems to be getting worse, not better.
“Everything requires maintenance, practically all the time. It doesn’t have to be millions of man-hours, but it is also certainly not going to be zero either,” he explains. “Yet, coding libraries are abandoned all the time. Many popular libraries are down to a single maintainer, who keeps the library alive but can hardly be expected to guarantee its performance.”
OTA, in regard to security issues, underlined this point in its report as well.
“Cloud services, third-party processors and external business partners expand the attack landscape,” its report stated. (The alliance recommended conducting risk assessments, as well as requiring vendors to produce reports regarding their security, technology, data removal processes, and documentation.)
Your organization can’t control everything that happens outside its doors, but it should probably take steps to at least understand it—what kind of support is needed for the tools you use, where redundancy can be built into the process, and how important all these parts are.
We’re in an exciting time, one where cloud computing is letting us do so many more things than we could’ve done even a year ago. But the excitement that generates shouldn’t overshadow the basics.
Maintenance is boring, but we should still do it.