[HN Gopher] Security is not part of most people's jobs
___________________________________________________________________
Security is not part of most people's jobs
Author : speckx
Score : 26 points
Date : 2024-06-26 13:03 UTC (9 hours ago)
(HTM) web link (utcc.utoronto.ca)
(TXT) w3m dump (utcc.utoronto.ca)
| GrumpyYoungMan wrote:
| Sure but what does "rewarding security", as the author suggests,
| in a way that is genuinely meaningful look like? The direct
| metric would a low number of security holes or bugs in the
| product but then you run straight into the problem that many
| holes/bugs are not found until much, much later, if ever. Perhaps
| code review failed to notice it, perhaps QA didn't cover that
| case, perhaps security scanning tools missed it, perhaps no black
| or white hat hacker ever bothered to try to break it, etc.
| Without a meaningful metric, what will likely happen is that
| people get rewarded for some kind of security theater.
| nocsi wrote:
| Then go the opposite route. South Korea fines companies
| thousands of dollars every day a vulnerability isn't fixed.
| Security is one of those areas where negative reinforcement
| works better than positive reinforcement.
| felixhammerl wrote:
| "thousands of dollars every day" does not a negative
| reinforcement make. That us not even a rounding error for
| even mid sized companies.
| paulryanrogers wrote:
| Then use 1% of revenue or 2K per day, whichever is greater.
| felixhammerl wrote:
| Even the most massive hacks or breaches or cyber attacks barely
| put a dent into any reasonable business. One or two news cycles
| and a management rotation, that's it. Okta? Target? Equifax?
| Capital One? Uber? Even Solarwinds for crying out loud.
|
| Everyone does enough to not be accused of gross negligence, but
| really I have not seen anyone pay more than lip service. And I
| don't blame them. No matter how much this hurts to say as a
| security professional.
| StressedDev wrote:
| The biggest group of people paying lip service to security are
| software engineers, and ops people. Both groups regularly
| choose implementation speed, and reduced work over sound
| security practices.
|
| A good example of this is in C/C++. Most C code bases I have
| seen spread buffer use and allocation code over hundreds or
| thousands of files. Anyone of these files could have a security
| bug because some code does not check the buffer size before
| writing data into a buffer. There is no way this pattern will
| ever be secure because it requires software engineers to get
| every check right which is impossible.
|
| Even worse, many software engineers do not care about security,
| or even correctness. They will happily write dangerous code
| because it takes less time.
|
| Another example of both operations and software engineers
| having a blind spot is cloud computing. When you write software
| in the cloud, you want to minimize secrets for the following
| reasons:
|
| 1) They have to be periodically rotated (changed). Rotation
| takes time, and it is error prone. Making a mistake leads to an
| outage. Not rotating them can lead to a hack when an employee
| leaves the team or when a breach occurrs and the attacker gets
| a copy of the secret.
|
| 2) If a breach occurs, secrets have to be rotated very quickly.
| This is hard to do unless a team has spent a lot of effort on
| automated secret rotation.
|
| The solution is to use managed identities (i.e. identities
| which automatically rotate their credentials every X days). I
| know Azure provides them, and I bet AWS, GCE, etc. also provide
| them. It takes a little more work but now, you do not have to
| worry about secret rotation anymore.
|
| The problem is, more work means a lot of people just won't do
| it.
|
| The final example is the principal of least privilege.
| Convincing people to only give the appropriate privileges to an
| account, managed identity, person, etc. is hard. Lots of people
| just give as much access as possible "in case someone needs
| it", or because it is easier. This leads to much worse security
| breaches.
|
| My basic point is security problems are not just because
| companies don't care or are not punished enough. They also
| occur because software engineers, ops, and other technical
| people don't really care. If the people doing the actual work
| don't care, the situation is not going to ever improve.
| tgma wrote:
| Interestingly, very often security is also not the real goal of
| entities that are supposedly in charge of security, whether
| specialized security vendors or in house security teams;
| compliance and cover-your-ass is. I have seen more than once that
| the CYA security theater in fact directly causes security
| problems.
|
| Quite often, the rare secure systems are built by great product
| teams who understand and are passionate about user data and
| security of the product themselves and architect the system
| accordingly.
___________________________________________________________________
(page generated 2024-06-26 23:01 UTC)