top | item 40804219

(no title)

Even the most massive hacks or breaches or cyber attacks barely put a dent into any reasonable business. One or two news cycles and a management rotation, that's it. Okta? Target? Equifax? Capital One? Uber? Even Solarwinds for crying out loud.

Everyone does enough to not be accused of gross negligence, but really I have not seen anyone pay more than lip service. And I don't blame them. No matter how much this hurts to say as a security professional.

discuss

StressedDev|1 year ago

The biggest group of people paying lip service to security are software engineers, and ops people. Both groups regularly choose implementation speed, and reduced work over sound security practices.

A good example of this is in C/C++. Most C code bases I have seen spread buffer use and allocation code over hundreds or thousands of files. Anyone of these files could have a security bug because some code does not check the buffer size before writing data into a buffer. There is no way this pattern will ever be secure because it requires software engineers to get every check right which is impossible.

Even worse, many software engineers do not care about security, or even correctness. They will happily write dangerous code because it takes less time.

Another example of both operations and software engineers having a blind spot is cloud computing. When you write software in the cloud, you want to minimize secrets for the following reasons:

1) They have to be periodically rotated (changed). Rotation takes time, and it is error prone. Making a mistake leads to an outage. Not rotating them can lead to a hack when an employee leaves the team or when a breach occurrs and the attacker gets a copy of the secret.

2) If a breach occurs, secrets have to be rotated very quickly. This is hard to do unless a team has spent a lot of effort on automated secret rotation.

The solution is to use managed identities (i.e. identities which automatically rotate their credentials every X days). I know Azure provides them, and I bet AWS, GCE, etc. also provide them. It takes a little more work but now, you do not have to worry about secret rotation anymore.

The problem is, more work means a lot of people just won't do it.

The final example is the principal of least privilege. Convincing people to only give the appropriate privileges to an account, managed identity, person, etc. is hard. Lots of people just give as much access as possible "in case someone needs it", or because it is easier. This leads to much worse security breaches.

My basic point is security problems are not just because companies don't care or are not punished enough. They also occur because software engineers, ops, and other technical people don't really care. If the people doing the actual work don't care, the situation is not going to ever improve.

chronid|1 year ago

This is not my experience, working in small shops/enterprise companies (some regulated). What I've seen is a constant, hard resistance from security "departments" to do anything that is not making policies (one company I worked with for a while had a security policy denying usage of managed identities in Azure...) and buying yet another magic solution from a vendor that will fix all our security problems (offloading its maintenance on... operations teams!), sometime with configurations that resemble the proverbial "very expensive firewall with ACCEPT ALL policies in all directions".

The companies with working security in my - limited, sure - experience had security teams owning the tools and making the life easier for developers and ops, from something "simple" like certificate rotation automation, to mTLS that is "transparent" for apps, to authn/authz, to secret management, all owned and managed by the security org.

IggleSniggle|1 year ago

The problem with the principle of least privilege is that you don't know how much privilege you need until you need it. And once you need it, you need to define a scope for it. If you wish to bake an apple pie from scratch, you must first invent the universe. But are you done with the universe once the apple pie is baked, or does it still need to be eaten, digested, and excreted? Are you done then? And what specific portions of the universe did you need in order to accomplish this goal? You're not sure? I'll see you in a few years when you're done with the research.

Sorry to be so cynical, as I do actually believe the principle of least privilege is an appropriate goal; I just think that there's no getting around that the engineers themselves are the ones who really must uphold this virtue, and even then, it can go overboard. At some point, the software should do something.