alt Hacker NewsThis is the ultimate nihilistic take on security.
Yes, 'cyber' security has devolved to box checking and cargo culting in many orgs. But what's your counter on trying to fix the problems that every tech stack or new SaaS product comes without of the box?
For most people when their Netflix (or HN) password gets leaked that means every email they've sent since 2004 is also exposed. It might also mean their 401k is siphoned off. So welcome the annoying and checkbox-y MFA requirements.
If you're an engineer cutting code for a YC startup -- Who owns the dependancy you just pulled in? Are you or your team going to track changes (and security bugs) for it in 6 months? What about in 2 or 3 years?
Yes, 'cyber' security brings a lot of annoying checkboxes. But almost all of them are due to externalities that you'd happily blow past otherwise. So -- how do we get rid annoying checkboxes and ensure people do the right thing as a matter of course?
Replies
> For most people when their Netflix (or HN) password gets leaked that means every email they've sent since 2004 is also exposed. It might also mean their 401k is siphoned off. So welcome the annoying and checkbox-y MFA requirements.
Not true. For most people, when their Netflix or HN password gets leaked, that means fuck all. Most people don't even realize their password was leaked 20 times over the last 5 years. Yes, here and there someone might get deprived of their savings (or marriage) this way, but at scale, approximately nothing ever happens to anyone because of password or SSN leaks. In scope of cybersec threats, people are much more likely to become victims of ransomware and tech support call scams.
I'm not saying that cybersec is entirely meaningless and that you shouldn't care about security of your products. I'm saying that, as a field, it's focused on liability management, because that's what most customers care about, pay for, and it's where the most damage actually manifests. As such, to create secure information systems, you often need to work against the zeitgeist and recommendations of the field.
EDIT:
> This is the ultimate nihilistic take on security.
I don't believe it is. In fact, I've been putting efforts to become less cynical over last few months, as I realized it's not a helpful outlook.
It's more like, techies in cybersecurity seem to have overinflated sense of uniqueness and importance of their work. The reality is, it's almost all about liability management - and is such precisely because most cybersec problems are nothingburgers that can be passed around like a hot potato and ultimately discharged through insurance. It's not the worst state of things - it would be much worse if typical cyber attack would actually hurt or kill people.
Actual accountability. Do not let companies be like "Well, we were SOC2 compliant, this breach is not our fault despite not updating Apache Struts! Tee Hee" When Equifax got away with what was InfoSec murder by 6 months of jail time suspended, Executives stopped caring. This is political problem, not technology one.
>So -- how do we get rid annoying checkboxes and ensure people do the right thing as a matter of course?
By actually having the power to enforce this, if you pull our SBOM, realize we have a vulnerability and get our Product Owner to prioritize fixing it even if takes 6 weeks because we did dumb thing 2 years ago and tech debt bill has come due. Otherwise, stop wasting my time with these exercises, I have work to do.
Not trying to be mean but that's my take with my infosec team right now. You are powerless outside your ability to get SOC2 and we all know this is theater, tell us what piece of set you want from me, take it and go away.