There are two opposite types of magic in modern tech:
- One is a proverbial Clarke’s third law: “Any sufficiently advanced technology is indistinguishable from magic”. We all strive towards that.
- Another is that “everything is going to work out because I want it to work out and, also, do not understand the problem well enough”, known as magical thinking.
Many product companies strive toward the first type of magic. But some companies, unfortunately, rely on magical thinking to keep pushing their work ahead. Latter is perfectly fine for a new social network application, gets a bit worrying when building a next-generation mobile phone, and absolutely disastrous if you’re building security tooling.
In praise of boring #
To build technology which works like magic, we rely on boring things:
- Clear understanding of where we’re going.
- Clear understanding of risks we’re mitigating and risks we’re creating.
- Clear understanding how building blocks we rely on actually work and break.
We have our own leaps of faith, of course: we believe that fundamental cryptographic assumptions are valid enough under a chosen set of circumstances. Yet, when they are not, we are the first to question assumptions we derived. We scrutinize every step when leaping from the standards and common practice.
Inside the company, we pride ourselves in being boring and meticulous. And we have reasons for this.
Boring tooling, produced in boring ways, opens up the opportunities for secure innovations. Secure innovations deliver the security promise and do not have unexpected operational modes and corner-cases for end-user.
Boring security cuts through security complexity #
Boring things don’t leave space for mis-interpretation and unexpected behavior—boring tools kill complexity instead of multiplying it.
Complex systems built out of boring tools actually work in trivially understandable ways. While complexity is inevitable for large systems, protocols, and organisations, most types of complexity introduce more security risks and challenges.
Thus, security building blocks should be boring to minimize complexity they create.
An ecosystem of tools instead of silver bullet #
There is no silver bullet to solve a security problem. Mostly because the problem itself is part of the engineering process developers carry out. As developers prefer different ways of building software, trying to retrofit security into a single form-factor is impossible.
In other words, making anti-virus as a developer tool is 100x harder than anti-virus as an end-user application.
Take a look at most developer tools around: they are ecosystems of tools rather than “one size fits all” solutions.
The best value for engineers is delivered as an ecosystem—perfectly fitting their engineering efforts
Ecosystem of security tools — that’s what we do.
Atomic bits can be boring enough to encapsulate all complexity, yet to provide flexibility and interoperability.
We’ve learnt the hard way so you don’t have to #
As no one is perfect, we’ve seen plenty of the magical thinking in our own engineering experience. Taking this experience into account, over the years, we’ve embraced a culture of meticulousness, being even more boring:
- We’ve designed internal protocols that force us to be boring as we proceed: we do double checks and blind checks to get a clear eye on every single step.
- We intentionally keep long consulting projects (years) to reap the full experience together with clients. When our advice leads to even subtle hints of failure, we are there to help, fix, and be witnesses to our own shortcomings.
- We encourage an internal culture of inquiry and proof, sometimes above commercial gain.
So, a good part of our culture fit is being able to accept meticulousness and inquiry above many other merits. We rely on each other to be as boring and analytical as possible.
We build tools to enable safe, responsible, and efficient innovation for everyone, bringing more magic of advanced technology into the world.