Society-level infosec wins

The default persona in information security is a bit cynical, a bit dour. As a field, we don’t celebrate our wins enough.

Some things that made the world a better, safer place in the last 20 years:

• Automatic updates.
• Encryption in all forms.
  • Encrypted messaging (effective, usable, free).
  • Wifi encryption.
  • HTTPS everywhere.
  • Passwords hashed.
• 2fac basically everywhere. My mom regularly uses 2fac.
• Memory safety - the cost/complexity of achieving reliable exploits of security vulns has gone up. DEP, ASLR, etc.
• Better languages - Memory safety vulns are more rare in new code thanks to better languages. I sneeze and write insecure C, its harder to write at least memory safety vulns in python.
• Cloud. Instead of everyone running their own servers we mostly trust other people to run them for us, and they do it better.
• Browser safety, we do things to make the internet less likely to harm you: CSP, mixed content blocking, same site cookies. Browsers themselves have sandboxes and got lots of security attention and improvements.
• For better or worse the field has a lot more attention. More practitioners (good), more political/policy interest (good?), more security products you can purchase (occasionally good), CISO is a role now (good).
• You don’t by default go to jail for telling companies of their vulns. Bug bounty exists. Norms around 90 day disclosures of open vulns.

What else?