Software Changes Fast. How We Adapted for 20 Years Running

In case you haven’t heard, it’s our 20th Anniversary this year. Naturally, we’ve been reflecting and reminiscing about our journey since starting in September 2002, and one theme immediately started to emerge: Change has been the only constant.

The world has obviously changed a lot since the beginning of the millennium. But is there any area where it has changed more, and more consequentially, than in the realm of technology, and software specifically? We wrote previously about how every company is now a software company. That’s because we now live in a software-driven world where apps make literally everything possible.

That happened fast – but not overnight. Throughout our 20 years, we have seen software change at an unbroken pace, instantly supplanting one innovation with another while advancing into territory thought impossible a few years prior. Cloud computing, smartphones, IoT, and blockchain: They all emerged in the same 20-year period that Security Innovation has been open. Thank software for all that.

With so many advancements rewriting what’s possible, it has been easy to lose the forest through the trees, focusing only on the latest and greatest software developments but missing the broader, bigger trends happening in the software ecosystem over time

We have seen a thing or two over our years working on the frontlines of the software industry. On the occasion of our anniversary, we found some time to articulate what we have observed and anticipate what it means for the future of software. Where have the last 20 years taken us, and what lies ahead? Those are important questions – and we have some interesting answers.

Tracing the Trajectory of Modern Software

We can group the constant changes of the last 20 years into three distinct buckets.

First, changes to software itself. Compared to 2002, software has become vastly more prolific and diverse, with an app to solve anything. It has also become extremely complex – did you know modern sedans routinely have over 100 million lines of code? Pressure to build complex apps faster has pushed developers to use pre-made code and “assemble” apps from interchangeable (some vulnerable) building blocks. Similar forces have pushed vendors to lock down code, replace licenses with subscriptions, and offer configuration instead of control. Which is all to say, we have seen software get extremely important and extremely risky.

People are the second bucket. The number of software developers has multiplied several times over since we started. Despite the constant influx of talent, however, skills gaps are widening. Constantly changing software means there are always new programming language, apps, stakeholders, and threats to accommodate, leading to lots of unfilled jobs and under-resourced development teams. Life has certainty gotten harder for the people building software. For the people consuming it, though, there’s now an insatiable appetite for new features and experiences. In many ways, people’s demand for software exceeds people’s ability to supply it.

The third and final bucket to consider is how attitudes and approaches around software have changed in 20 years. When it comes to our specialty, software security, things have only changed by getting worse. In too many cases, security continues to be “bolted on” rather than integrated throughout development as an essential component of software quality. The network-focused approach to security endures even through the cloud makes private networks basically irrelevant. And we rely too much on security tools (rather than people and processes) because the pace and pressure of DevOps demands it. Software-related risks have risen significantly, but security still comes second. That hasn’t changed. 

Learning the Right Lessons

We haven’t just observed these changes – we have felt them firsthand. Our own history runs in close parallel with the software industry’s. As it has changed, so have we; and learned some important (sometimes painful) lessons along the way:

  • Fail Fast – Our first major product, a Windows app testing environment called Holodeck, found some attention and enthusiasm; but the emergence of web app development and deployment basically made it obsolete for all but a select few organizations. Proud of what we built; we kept Holodeck going longer than we should have. Continuous change means that irrelevance is always around the corner. The key, as we discovered, is to acknowledge when something isn’t working sooner rather than later. Holding out accomplishes nothing.
  • Be Proactive – It’s easy to get complacent when you’re on the cutting edge. We offered something unique and novel in 2002 with Holodeck but things quickly transitioned, and we didn’t see that transition coming early enough, nor adapt fast enough. Failing fast is important; however, just as paramount is figuring out what to do next – quickly – with those resources. We’ve been careful not to repeat that mistake, but in an industry where change is sudden, swift, and often surprising, that’s never easy.
  • Challenge Expectations – Early on, Security Innovation offered a training library mostly focused on language-specific courses. What we soon discovered was that developers are only one stakeholder in security, and defensive code just one component of a robust software ecosystem. As the world of software evolved from apps being coded from scratch to today’s assembly-for-existing-parts model, we needed to challenge our own perception of what training was needed.  Even though our founding team were world-class experts in software development, they still had things to learn and changes to accept. We took away from that experience the lesson that you should always be willing to challenge your own expectations, especially when you know that change is inevitable.

 Now is a good time to learn these lessons because the pace of change so no signs of slowing down. Imagine how much of our life’s software will facilitate 20 years from now – from driving our cars to building virtual worlds. Expect to see an avalanche of new languages and tech stacks, along with plenty of evolving consumer demands, cyber threats, and market pressures. Change isn’t going anywhere.

Fortunately, we are pretty used to anticipating, adapting, and innovating after 20 years of keeping up with the software industry. We’ve been around this block a few times by now. That experience has become our greatest asset.