I know it’s obvious, but we tend to forget it and happen to expect technology to be secure just like that, from the very moment of its conception in inventor’s mind. The sad reality is that even technologies designed to provide better security happen to be insecure themselves. The trouble is, as it seems, that it’s considerably difficult to see all the possible weaknesses from the very beginning, especially when functionality is a lot more of a concern then the security.

So, just face it — once we develop a brand new technology it nearly always has fundamental flaws (think web scripting and all the SQL injections, XSS (Cross Site Scripting), etc.) It was essentially the same with coding “normal” applications — it’s been full of buffer overruns, integer overflows, format string vulnerabilities, etc. But then, after something like ten years, ideas like sandboxing or managed code caught on and seem to be doing a fairly good job. Interpreted languages with high level of abstraction in managing memory started to become efficient enough to be of any use. Programmers learned how to properly use standard APIs. And finally the trouble with memory management slowly started to be less and less painful.

Adding it to the fact that the new and much easier to exploit vulnerabilities emerged, everybody slowly turn their back to the old good buffer overruns and such. Instead we have XSS, CSRF (Cross Site Request Forgery), SQL Injections and the family.

But what will happen to it in time? Of course, it will slowly become harder to exploit. Smarter web developers already started using robust frameworks reducing the possibility of introducing web-era vulnerabilities into their code. The world slowly learns how to use web IDS/IPS systems. And generally, we get more and more secure every day.

But what will happen next? Some brand new, shiny technology everyone sooo wants to use will pop-up, no doubt about it. And we’ll have the same trouble again. Unless of course the security gets designed into the technology from the very beginning (not likely to happen, unfortunately) or unless we let it mature before running an internet banking site on it. It won’t be cutting edge then anymore — true, but isn’t it better that someone else flies the plane the first time?

So, here is the trade-off — you either wait for enough people to get burnt while trying out the new toy before you put your hands on it, or you are the one that others watch getting burnt. It’s always like that, I’m afraid. And I think the best advice here is to know how much you are risking before you decide either way.