I think this is a meme, the idea that someone is always going to decide to pay X million in fines instead of paying for security.
The problem, surely, is that there is no "right answer" to what you need for security, no 100%, things that were worth it last year are no longer effective and on top of all of that, you have human beings working for you who make mistakes?
There is also the very real issue, hardly talked about, about rolling security into legacy applications/infrastructure. People talk like someone can just click their fingers and get 2FA/Webauthn/FIDO/Yubikey when most applications probably haven't been updated since 5 years ago and cost $1M per release in risk. Not saying it's good but that's how it is.
The problem is that they do not take any responsibility for the negligence and breach of contract - they were obligated to keep my data secure, they didn't, I might get defrauded now and they will never compensate me or anyone else.
> might get defrauded now and they will never compensate me or anyone else
If you're defrauded because of a leak, you have a claim for compensation. The problem is we have scant evidence these leaks cause consumer damages. There is the attribution problem–tying an instance of fraud to a particular breach is hard. But it's not so hard that we'd expect to see virtually zero cases.
What's more likely is having a list of credit card or even social security numbers is less useful than it might seem. To the degree fraud exists, consumers are largely indemnified, e.g. by card issuers.
Isn't security pretty cheap if you want to have it from the start?
Albeit you cannot include other companies code and APIs to add features really fast, long term the maintenance cost should be comparable.
Not really, security makes everything harder. I have worked on classified projects which I think are a good benchmark for continuous security and it is definitely expensive, and it was on the lowest levels of classification.
Costs come from everywhere, from the time it takes to transfer a simple file when USB ports are blocked and internet access is very limited. Regular audits, limited privileges and you can only run approved programs, maintaining software up to date but you have to actually look at the change logs (no automatic updates), physical security (alarms, safes, access control, etc...). Also, you can't work from home.
Your company may do security differently but there is always a cost. You may not notice a big "security" line in the budget but that's because the costs are everywhere, because everything can be a target. And unlike correctness, security is a moving target. For example, if the code you wrote for a specific task does the task correctly, as long as the task doesn't change, it will work forever (hence: "if it ain't broke, don't fix it"). But thing that were once secure may stop being secure as new attacks are found, even if nothing changes on your side.
Its cheap if you build it in from the ground up, and a well thought out security program shouldn't impact development velocity at all.
Retrofitting security later tends to be painful, expensive, and cause conflict.
In software companies security teams should enable the developers as opposed to being a hinderance.
Secure code is code that tends to be better written, better documented, more performant, and pass tests. All of which are good things.
I'm always amazed at how many YC/VC backed software startups seem to have no place in their team or board for security, which makes it a massive cost center later on when they try retrofit it.
> Isn't security pretty cheap if you want to have it from the start
Without trying to sound condescending (because it really is a complicated topic), this seems like a viewpoint that could _only_ be held by someone who has never had to actually deal with it.
> Albeit you cannot include other companies code and APIs
Which is why we need to increase liability for these corporations. Make it expensive for them to not care. Security breaches are often caused by gross negligence.
lbriner|3 years ago
The problem, surely, is that there is no "right answer" to what you need for security, no 100%, things that were worth it last year are no longer effective and on top of all of that, you have human beings working for you who make mistakes?
There is also the very real issue, hardly talked about, about rolling security into legacy applications/infrastructure. People talk like someone can just click their fingers and get 2FA/Webauthn/FIDO/Yubikey when most applications probably haven't been updated since 5 years ago and cost $1M per release in risk. Not saying it's good but that's how it is.
ClumsyPilot|3 years ago
JumpCrisscross|3 years ago
If you're defrauded because of a leak, you have a claim for compensation. The problem is we have scant evidence these leaks cause consumer damages. There is the attribution problem–tying an instance of fraud to a particular breach is hard. But it's not so hard that we'd expect to see virtually zero cases.
What's more likely is having a list of credit card or even social security numbers is less useful than it might seem. To the degree fraud exists, consumers are largely indemnified, e.g. by card issuers.
a3w|3 years ago
GuB-42|3 years ago
Costs come from everywhere, from the time it takes to transfer a simple file when USB ports are blocked and internet access is very limited. Regular audits, limited privileges and you can only run approved programs, maintaining software up to date but you have to actually look at the change logs (no automatic updates), physical security (alarms, safes, access control, etc...). Also, you can't work from home.
Your company may do security differently but there is always a cost. You may not notice a big "security" line in the budget but that's because the costs are everywhere, because everything can be a target. And unlike correctness, security is a moving target. For example, if the code you wrote for a specific task does the task correctly, as long as the task doesn't change, it will work forever (hence: "if it ain't broke, don't fix it"). But thing that were once secure may stop being secure as new attacks are found, even if nothing changes on your side.
nibbleshifter|3 years ago
Retrofitting security later tends to be painful, expensive, and cause conflict.
In software companies security teams should enable the developers as opposed to being a hinderance.
Secure code is code that tends to be better written, better documented, more performant, and pass tests. All of which are good things.
I'm always amazed at how many YC/VC backed software startups seem to have no place in their team or board for security, which makes it a massive cost center later on when they try retrofit it.
RHSeeger|3 years ago
Without trying to sound condescending (because it really is a complicated topic), this seems like a viewpoint that could _only_ be held by someone who has never had to actually deal with it.
> Albeit you cannot include other companies code and APIs
That, alone, is a huge commitment.
flerchin|3 years ago
matheusmoreira|3 years ago