Moving Fast and Breaking Things: How to stop crashing more than twice

TL;DR

This paper advocates for adopting aviation safety principles in IT security, emphasizing resilient system design and structured incident handling to reduce recurring security failures.

Contribution

It introduces a 'clean slate policy design' and a safety-oriented approach to improve IT security practices inspired by aviation safety protocols.

Findings

Security issues recur due to inadequate safety measures

Aviation safety principles can enhance IT security resilience

Structured incident reporting improves security response

Abstract

"Moving fast, and breaking things", instead of "being safe and secure", is the credo of the IT industry. In this paper, we take a look at how we keep falling for the same security issues, and what we can learn from aviation safety to learn building and operating IT systems securely. We find that computer security should adopt the idea of safety. This entails not only building systems that are operating as desired in the presence of an active attacker, but also building them in a way that they remain secure and operational in the presence of any failure. Furthermore, we propose a 'clean slate policy design' to counter the current state of verbose, hardly followed best practices, together with an incident handling and reporting structure similar to that found in aviation safety.