Are Web Apps Risky? (And Why Company Data May Not Be That Valuable)

Michael is leery of using web applications for business, writing

I don’t know if I’d want to take the risk of having my corporate data spread over several vendor’s applications and servers, but there is some appeal in handing over the technical, administrative and security tasks to someone else willing to take on that pain.

I’ve heard similar concerns about the risk of using web applications before. I suspect they are greatly exaggerated.

The arguments usually goes something like this. If my company’s data is kept on web application, there is a chance that the web application will be cracked and my valuable data will find its way into the hands of my competitors or other unscrupulous agents eager to apply it to some nefarious endeavor sure to harm me. If I spread my data across several applications the risk is multiplied because it increases the odds that one of the applications will be cracked. On the other hand, if I keep that data centralized within the company, protected by my IT people, it is safe from outside crackers because I control it.

I find some things fishy about this argument.

First, why should I expect that my IT people will be any better at securing my data than a web application sysadmin? It would stand to reason that a web applications would be more secure. As Paul Graham argues:

The argument against this approach usually hinges on security: if access is easier for employees, it will be for bad guys too. Some larger merchants were reluctant to use Viaweb because they thought customers’ credit card information would be safer on their own servers. It was not easy to make this point diplomatically, but in fact the data was almost certainly safer in our hands than theirs. Who can hire better people to manage security, a technology startup whose whole business is running servers, or a clothing retailer? Not only did we have better people worrying about security, we worried more about it. If someone broke into the clothing retailer’s servers, it would affect at most one merchant, could probably be hushed up, and in the worst case might get one person fired. If someone broke into ours, it could affect thousands of merchants, would probably end up as news on CNet, and could put us out of business.

Second, does keeping all the data centralized really reduce the risk? If a cracker gets into a central database, he’s hit the jackpot. He’s only got to crack one system. If the data is distributed across many web applications, he needs to crack into every one to do the same amount of damage.

Third, what is the danger of having the data publicized? Is the data really as valuable as you think? Consider this thought experiment: imagine that somebody cracked into Intel and managed to steal the source code for the design their latest processor, arguably their most valuable data, and posted it on the web for all to see. End of the world for Intel? I don’t think so. For the vast majority of people the code would be worthless. Unless you have access to a multi-billion dollar fabrication facility, it would be impossible to manufacture cheap knock-offs. Those that do have access to such a fab would have to invest considerable effort in learning how to build the chip, as manufacturing chips is not a straightforward process.

So for the sake of argument, let’s say along with the source code, the cracker also managed to publicize all of the process documentation, too. Then they could make the chip without a huge investment, right? I don’t think so. Though it might reduce the effort to manufacture the chip, it wouldn’t eliminate it. Somebody would still have to read all the documentation and understand it. There would be gaps in the documentation, too; information that resides in the heads of Intel employees that was never written down. Somebody would have to figure all that out, too?

But couldn’t somebody use the source code as the basis for an enhanced chip; something even better than what Intel is producing? Possibly, but Intel will be doing the same thing. Who do you think will come up with the better enhancement, the Intel engineers who developed and are intimately familiar with the code or somebody who has never seen the code before? My bet is on the Intel team.

Would it be a different story if we imagined that source code was for Microsoft Windows or the Google Internet Search routines. I don’t think so. Anybody considering competing with the creator would still have the same issues of understanding what they have stolen and building the product for themselves.

So there you have it: three reasons web applications are not as risky as you might think. They’re probably full of holes. Poke away.