Skip to content

Part 1 – Security – your reasons are wrong

I’ve always had an interest in security the moment a teacher showed me an SQL injection in the code I’ve made.. over 12 years ago. 

There were two main reasons for that. I was intrigued by the technical puzzle that presented itself by abusing someone’s code. The second part was that everyone with that knowledge could access my database. Something I did not want because it could contain sensitive data. In this case, it was merely a school assignment but ever since I developed more skills in security because I cared. 

It’s now 12 years later and security became a much more hot item than it ever was. That would be awesome if it were for the right reasons and I really believe that’s often not the case. 

If we look back into history we notice a trend where companies rely much more upon IT. Some companies are even 100% depending on it’s IT infrastructure or products. I guess you could call it really vital. 

When looking further we notice a trend were “hacks” – exploits, whatever, are much more destructive than ever before. Taken your files hostile for ransom, destroying databases “just because we can”, etc.

Add some social media into the mix and general news outlets who are eager to publish posts such as “millions of {insert user data type} compromised in a hack” and you’ll end up with an explosive list of arguments to protect your ass.

And that is my problem. 

I wanted to make my code safe because I want to be responsible. Regardless of whatever reason. I don’t want to write safe code or actually think about my data because of some compliance officer, CISO, waiver, company name, a news outlet or some manager who has heard of some buzzword and insists I’ll be a dev-sec-ops-engineer.

In the past years, I hardly saw a company who cared about security, because security, in general, is important. This somewhat troubles me. A lot of things that companies are doing, is because of money. Security became more important since it can ruin your name, kill your company or actually inflict damage. Not because everyone started giving a f*** about their data.

I always grin about ISO 27001 – companies calling themself secure because they have this “certification”. That ISO standard does not prove anything regarding security. It’s merely a waiver that states that you have given it some thought for a period, in which you paid quite some money to get that paper. I’m not saying ISO 27001 is a bad thing. I’m merely saying that, as per official meaning, it only means that you have covered some business RISK. 

Nowadays with CISO’s, dev-sec-ops and other titles, we shifted towards some form of security Valhalla were everyone is eager on security. Yet I believe 99% of that is based on making money off some hot item that is happening. We have entire divisions of RISK and COMPLIANCE. Fighting to push everyone in the right direction that everything is “in scope” for security. 

So on actually fixing things I would like to take a few steps back. I strongly believe that we are pushing things too far. All those new people pushing for security are sometimes forgetting the basics. Rendering people who need to “fix” and “deliver” things with less time actually making proper products. Instead of enabling others, they are actually disabling work, features, and ease of development. 

Sometimes we are talking about the most insane edge cases on security while leaving the most basics things in the open because RISK does not see it as an issue. – Like having a mailing form for a newsletter in which you ask for a ton of personal information regardless of the cause. It’s checked by risk and compliance because it fits the checkbox, but it’s not safe.

Then we implement a secure password policy.. because it’s secure. Let’s also force people to change this every month.. because it’s even more secure! – The end result is that people make insecure passwords and/or write the password down. 

In most cases that I’ve witnessed, proper issues get ignored because there is no time or freedom for it. They get overruled by other security rules that seem more important which often have side-effects. I actually believe that certain security compliance stuff has been the root cause of multiple data breaches. I’m not a person who actually does studies on these kinds, so take my words as a grain of salt..or investigate it 😉

In the end (for security), we should just care more about everything except for one thing: The company itself. One should care about data, care about people having expertise in their field and listen to them. The exception is for those related to security. They should for once not care about the company; the finances behind it, the budget nor politics. They should only have one motto: I care for my data, customers and those involved in that process. With that in mind, different paths will be taken for the proper reasons.

Part 2:

Published inRandom

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Enjoy life!