1. 17

  2. 3

    I sort of get the point of the article. There are counterproductive behaviors among many INFOSEC people. The exploits are harder to produce these days. A small amount of cost-effective security can improve things a lot. The problem is the article ignores that some of the claims are true and then reframes the problem as security people just not understanding development.

    In reality, the vast majority of security issues we’re seeing are both well-understood and easily prevented. On system side, there’s been guides on low hanging fruit, languages immune to it, static analysis for common languages, and so on. Still same stuff no matter how little effort is required. On web end, there’s a small number of problems that account for vast majority of compromises. There exists pre-made libraries/frameworks, analysis tools, and guides for quickly catching them. Most ignore it. The article also brings up a lack of patching which is super easy to automate, both testing for breakage and deployment. Most ignore that, too.

    Far from not understanding development, the INFOSEC people quoted seem to understand both development and the level of apathy toward INFOSEC by developers. No matter how easy they make it the developers still ignore it. Some of it, like safer languages, even makes developers job easier with faster development with less debugging. Some uptake there in scripting languages at least. In systems, largely not. Even the hyperbole of connecting systems to the Internet resulting in compromises is true the vast majority of the time with most of them being easily prevented as I’ve described. I’d understand if it was consistently the hard shit but it’s not.

    So, the INFOSEC people are right. The developers or especially managers/companies just don’t care. The INFOSEC people definitely could handle their promotion of secure methods better. I’ve encouraged them to just develop useful products that bake it in so they get adopted on non-security merits. Do a fait accompli strategy. Just don’t try to talk the developers into doing something that’s useful and more secure as major selling point. That won’t go anywhere vast majority of time. Industry metrics show it.