undefined | Better HN

0 pointsTristanBall1y ago0 comments

Did they say why?

It strikes me that those envs might be particularly prone to corporate inertia, ieg "the current way passed security audit, don't change it or we need to requalify"

It's possibly also harder to rely on a HSM when your software is in a container? ( I'm guessing here tho )

0 comments

nprateem1y ago

It's a useless, unproveable generalisation from a supposedly omniscient "insider". I know of at least one finance organisation using HSM as you'd expect.

skissane1y ago

And I know non-finance orgs using HSM to protect encryption keys used to encrypt PII

andrewmcwatters1y ago

Yeah, you don't have to trust me, there are plenty of software engineers working in finance who can tell you the same. Or they're using outdated ciphers, or they're storing information in plaintext or in logs, or they have no security playbooks.

It's irrelevant to me whether you believe it, it's happening today, and it happens with some of the top financial institutions and their subsidiaries and it's the same bureaucratic nonsense to move those teams to do something about it like it is anywhere else.

j / k navigate · click thread line to collapse