top | item 30799153

(no title)

mh0pe | 3 years ago

As a member of the Security community, it's disappointing to hear that this is the perception on the table, because our community can and should do much better than that. In my experience and goals, the best Info/AppSec/SecEng teams put people before processes, build guardrails instead of walls, and demonstrate first hand what they want to see engineering teams doing. If you're open to it, I'd like to offer perspective on why some of the perceptively dumb things that sec teams do, do.

Those automated tools are better than ever. Manual code reviews are very important, but automated tools at this point can stand in for "over the fence" pre-production code reviews, as long as periodic reviews occur. In particularly sensitive contexts, especially finance, code is always signed off on by security before release when it can have impact on anything important. It's all about risk management.

Additionally, the cloud and SaaS is nothing like it was a decade ago. Security is now more focused on compliance due to the nature of building software today. You used to maybe provision a handful of nodes on EC2, use an autoscaling group if you were super fancy, and probably integrate into a handful of third party APIs. Every business is different, but that was the core of running a workload. Now, I can delegate specific responsibilities to third parties and reduce both people and operating costs. But with that comes massive risk since you just transferred an internal business function to a third party you have no control over. The most common approach to that risk is through process: vendor reviews, compliance and cloud posture security management.

And then there's DevOps who ends up being ad-hoc security way too often with no relevant background (or interest).

All that to say, good, compassionate security teams do exist.

discuss

toomuchtodo|3 years ago

Great comment, accurate representation of the situation.