Simplicity in Application Security
It seems that perfection is not reached when there is nothing left to add but when there is nothing left to take away.
There is a joke about how developers write the code. Junior devs implement the easiest solution, intermediate devs add more complexity trying to follow all possible best practices, and more senior devs prefer to write very simple code most of the time.
A really good example can be found in the The Evolution of a Software Engineer article. I'm pretty sure there is a lot of variations, but the goal is to demonstrate that the code written by very senior folks can look similar to newbie's code.
Another famous example is the "IQ Bell Curve" meme.
It may refer to just do something, e.g., just sell. You don't need to be an expert in something. Just start doing it, then learn, improve and repeat.
The truth is something in between.
Overthinking or overengineering is not great. However, we are building systems with many unknowns and would like to add flexibility and expandability. The difference between a newbie and an expert is a knowledge of what really matters and why. An expert can choose the same solution as a newbie, however, motivation may be different.
Software development is hard, application security is even harder. I always try to ask a lot of Why questions and as a result, I don't need to implement a complex solution most of the time.
Simplicity is a fundamental design principle. A simple solution is easy to understand and analyze, and it is easier to protect. It gives us a reduced attack surface (therefore the likelihood of attacks) and addresses psychological acceptability. Users will always try to create a workaround for inconvenient security controls making them less effective or even useless.
Simple is not always easy to achieve, but we should try our best. It is good for everyone, especially for end-users.
- Choose simple solutions
- Understand what you are trying to solve and why