Fail Open or Fail Closed?

I’m reading Secure Coding: Principles and Practices from O’Reilly and I stumbled on something worth thinking about: should your software fail open or fail closed?

Say you’re building a corporate firewall. What happens when it encounters a fatal error and can’t figure out what’s a good packet and what’s a bad packet? Should it shut down and leave the machine open (fail open), or should it just stop evaluating and reject every packet (fail closed)? Arguments could be made for both options.

What if you’re building a system to regulate the flow of oxygen to a deep sea submersible? Say the software encounters an error and has to shut down. Without regulation from the software, should the valve stay open or closed?

Think about magnetically controlled doors. Does the magnet hold the bar in the locked position against the tension device trying to unlock it? Or does the magnet hold the bar in the unlocked position, against the tension device trying to lock it? The answer is the difference between whether the door is locked or unlocked on a power failure (assuming the magnet needed power to have force). One answer is good for complete security (lock on power failure), but then what happens to the fire escapes?

Interesting concept – one of those things that hangs around in the back of your mind and never really gets a light shined on it. Good book, too.