Survey of the 2019 security landscape reveals some surprising bright spots

Chrome security engineer and EFF alumna Chris Palmer's State of Software Security 2019 is less depressing than you might think: Palmer calls out the spread of encryption of data in transit and better signaling to users when they're using insecure connections (largely attributable to the Let's Encrypt project); and security design, better programming languages and bug-hunting are making great strides.

Palmer also identifies the rise of tech worker protests over unethical projects (drones, censorship in China, etc) as a major advance, even if you don't agree with their specific goals, saying it's "good news that our generation of engineers is growing beyond the 'I could build it, so I did; what are consequences?' mentality."

On the downside, Palmer is less bullish about the prevalence of C++ ("untenably complex and wildly unsafe"); worried about Meltdown, Spectre and related bugs; and the proliferation of scams, crapware, and stalkerware.

He's also in the camp that does not believe that proof-of-work provides good security and predicts dire environmental backlash against the cryptocurrencies that rely on it.

Missing from Palmer's analysis: the security debt created by massive silos of overcollected data in the hands of incompetent firms facing overmatched adversaries (Equifax was the beginning, not the end); the role of state vulnerability hoarding in promoting insecurity; and the growth of mandates banning working crypto from China to Australia.

Still, I see people really shipping software improvements that seemed impossible 20 or 10 or 5 years ago. We really are making progress. Heres what I want to see in 2019:

* Throwing away the idea of using engagement as the sole or primary metric.