top | item 39571676

(no title)

> Infrastructure teams can usually implement a feature faster than every app team in a company, so this tends to get solved by them.

Well, that's comparing apples to oranges. Product teams have completely different goals, e.g. adoption/retention/engagement, so naturally internal cluster encryption is so far out of scope that in fact only the platform team can reasonably implement it. I don't see how that statement is relevant. You don't send an electrician to build a brick wall

discuss

flumpcakes|2 years ago

Application security should be everyone's responsibility. Architects, developers, and operations.

Too many times have I seen architects and developers completely ignore it to make their jobs easier, leaving it to operations/infrastructure to implement. It's easy to twist the arm of business people with a "I can't ship feature X if you want me to look at security Y".

If everyone took this seriously perhaps we would have fewer issues.

romantomjak|2 years ago

I agree, I was just making a point that different teams have different priorities and thus different scope. Saying "PodA can only talk to PodB over mTLS" is very different to "Users need to login using oauth". Who is going to build the product if product team is working on the service mesh?

gerad|2 years ago

I read the GP as it’s easier to have the single infrastructure team implement it than have every single product team add support in their service.

I mean most app servers abstract away https on the server level and most dev is done unencrypted. So this seems reasonable.