undefined | Better HN

0 pointsg_p5y ago0 comments

I think you're right here, and I worry we are overly compartmentalizing security away from engineering. Ideally you should be both. One of the issues I see is that (at least in my experience), security isn't too bad to get up to speed in, if you get the time, but it's pretty time consuming to stay on top of advances.

Cross team working is important, but I think it's also important to try and embed security "people" into the day to day development flow on a regular basis. It ought to help the developers through learning by osmosis.

Definitely think companies need to better signal the demand for deep technical skills in security though - too many seem to actual want generic risk management experience but no particular technical knowledge. To my mind, anyone in a security role should really be able to break their way into a typical corporate internal webapp in a few minutes, just out of their own residual talent and ability to show stakeholders the importance of their profession. It's amazing how quickly security gets a seat at the table when they show how they can pop the self service password reset portal with just a web browser (with appropriate permission of course) and are asking whose password to reset to show it works...

0 comments

1 comments · 1 top-level

Legogris5y ago

I think it’s even more so a matter of being time-consuming to do correct even if you know what to do... In a microservice architecture. mTLS everywhere, proper PKI, fine-grained access for all users and services, keeping dependencies minimal, vetting updates, securing network, firewall rules, keeping security patches up to date... all this takes time and without strict processes it’s very easy to cut corners.

And what about that PoC that slowly transitioned to bring a production system?

A large part of the blame lies in the culture of pressure on releasing fast and often.

j / k navigate · click thread line to collapse