In this interview, Pete Lacey, who recently became well-known in the SOA community because of a series of blog posts starting with a very funny one entitled S stands for Simple (which was covered at InfoQ as well), talks to InfoQ’s Stefan Tilkov …

I have a 1.5 year old boy. Not enough time to blog.

Thanks though.

Military grade authentication/encryption systems for what we do is an absolute overkill (reporting app with web-services back ends on an intranet), and yet if we do anything less, it’s not secure anyway, because a dedicated hacker can get in and get the crown jewels.

We use ssl and hashing some, but overall the security is hodgepodge, accumulated layers over years of initiatives that have left things in a worse state than no security at all.

Ultimately, the approach we take is to just watch everything. Yes we use automated tools as watchmen, and we watch those too. It’s easier to watch things that aren’t cryptic to the naked eye.

Security tool vendors, in my opinion, fail to address the “but how to we find out if a hacker _does_ break into the system” question. Between private keys, public keys, certificates, encapsulated encrypted payloads, there is nothing that stands out to the eye as being out of place. Unlike, for example, an standards web server log, on which all kinds of attacks can be spotted by a diligent human.

Ultimately, if a system does not allow a human with brain and eyes to supplement the software, it cannot be secured.

Finally, web services in production environments with mutliple database types, a hybrid os environment, and integration of very many issues ((x)html, css, dhtml, cross-browserness, differing sql dialects, stored procedures, different languages (Java, .Niet, pyhton, perl, php, ruby and plain old shell scripts, with ASP and VBS) piled up on top of win2k, xp, vista, win2k3, solaris 9 and all the IBM mainframe stuff I don’t even know enough to rant about ( I knowo there’s some COBOL in there), along with FTP, SSH, EDI and XML-RPC, and now SOAP, with different client machines setups, (Novell NAL, Citrix, and other beasts of the kind), you can imagine how hard it is to get anything to work well enough to be productionalized to 10,000 users. (sprinkle Oracle 10, MSSQL and mySQL, plus a couple wikis (twiki and mediawiki) for good measure.)

Add security on top of all that? Hello? Houston to Earth: We have a Problem.

Let me tell you how it all happens in the trenches of IT (in a fortune 200 no less): like it did in the trenches in France in 1917: With blood and gore and screams of agony through mind-numbing boredom punctuated with episodes of utter terror.

Things have to get simpler.