top | item 25121276

(no title)

n0on3 | 5 years ago

> security should be following basics as specified in common security standards (PCI DSS, ISO 27001 etc)

Would be nice but no, not really. The standards you mentioned are mostly compliance requirements. To be honest, a good chunk of the industry considers them as kind of a joke from a security perspective.

> It's comprehensive and not that hard to learn

Have you even read these standards? I mean, they might be "not hard to learn" but they are far from comprehensive (or specific, depending on which one you are looking at)

> Twitter are not remotely close to operating like that given their recent hacks

Ask literally any security professional you trust, companies compliant with PCI DSS and ISO27k1 get security incidents and breaches all the time just like everyone else and possibly more (given that if they need compliance with these standards they are probably big enough to have very wide/heterogeneous infrastructure/applications portfolio/administration practices/etc). If they claim they don't, that's most likely because their telemetry sucks (so, it still happens they just don't know about it)

discuss

rorykoehler|5 years ago

My point isn't that these standards will protect you from any incidents. My point is that these standards are the low hanging fruit and Twitter hasn't even picked it yet so it's a bit redundant to get super technical. Twitter is suffering from governance failures.