Mythic Monday – Stables of Augeas
Cleaning the stables of Augeas, for those that do not recall, was the fifth labor of Heracles. His task, as one of many to gain the forgiveness of the gods for accidentally killing his wife and children, was to remove all the dung that was produced by the immortal cattle of King Augeas’s. Unlike most of his other labors, this one was deemed to be impossible, not due to the inherent danger but for the shear amount of work. On the positive side, if Heracles did it, he would get one tenth of the cattle.
Heracles managed the task by thinking outside of the box. Instead of cleaning the stables in the traditional manner, he rerouted two rivers to wash it all out (and, presumably, causing a fish kill somewhere downstream).I n one day’s work, Heracles managed to make the stables more efficient and eliminate many of the legacy problems equated with an unclean stable – bacteria, fungus, pests, misplaced pitchforks. Then, King Augeas was perfectly positioned to make improvements and run his stable better than ever before. Of course, he doesn’t do this… preferring instead to try to steal from Heracles and got killed.
But our security lesson today isn’t about Augeas (though “don’t tick off demigods” isn’t a bad general rule). Instead it’s about cleaning things up. Just as various threats lurk in manure and compound over time, the same applies to source code. If you develop software, I’m sure that your developers have come to you at various times and suggested that the code base be wiped clean and they be allowed to start over. Odds are that you’ve said “no”. Odds are that you were right.
It usually doesn’t make sense to throw work away and start over. Doing so would give your competitors a time advantage and while you’re making the newest whizz-bangiest system out there, you’re losing marketshare. However, if you let the bad code pile up too deeply, the internal threats will grow and you may not be able to handle them. Then, like King Augeas, you may choose to ignore the problem and hope for a hero to come by. In the meantime, other systems will be getting whizz-bangier and you’ll be losing marketshare.
So where’s there to do?
You basically have two options. You can hire yourself a hero (consultant) to throw away what you have and start over, which could cost you one tenth of your profits, or you could just get better at cleaning your own stable in the conventional manner. When your developers come to you, you know that it is impossible to clean the entire stable (code base), but you could allow them to clean a few stalls (modules). By taking such an approach, you can prevent pests (vulnerabilities) from mounting up without needing to worry about losing your stable entirely or even one tenth of your cattle.
So, your stables may never be completely clean, but they might be able to be kept “clean enough” so that the vulnerabilities don’t mount up and cause you problems.