Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
wslh a day ago

While I see your point, over time, I’ve come to think that cybersecurity is a fundamentally different and indomitable beast. Consider the sheer number of software projects, devices, and products being developed, each inevitably introducing all kinds of bugs, versus the relatively small number of people who truly understand the craft of real offensive security.

Veserv a day ago | parent | next [-]

The very concept of “offensive security” is indicative of the problem.

If you want to make a secure military base, you do not hire a spec ops team to develop one. If you want to make a bulletproof vest, you do not hire a gunsmith to design new synthetic fibers.

Having offensive teams on hand to verify and validate is necessary, but largely orthogonal to the task of design and development. The skillsets are highly dissimilar.

The fact that people think this is the golden way shows how absolutely intellectually bankrupt the entire commercial cybersecurity industry is on a theoretical level. And the complete inability to protect against the regular and standard threat actors today shows and supports that empirically.

wslh a day ago | parent [-]

> If you want to make a secure military base, you do not hire a spec ops team to develop one. If you want to make a bulletproof vest, you do not hire a gunsmith to design new synthetic fibers.

When you can be attacked by groups of 20s something with only a computer and fulltime to attack you via your smartwatch or social networks you would rethink about cybersecurity. Your example is linked to physical but not virtual spaces.

Veserv 19 hours ago | parent [-]

Ah yes: "Don't you understand, the problems in this field are harder. That is why the methodologies that easier fields reject as being grossly inadequate for their easier problems will work on much harder problems." Even ignoring the glaring conceptual holes in that argument, we also have literal decades of objective and empirical evidence that those techniques are still absolute failures when applied to software security.

Furthermore, groups of kids do not constitute a technically sophisticated threat. If you are struggling with them, then your security is grossly inadequate against commonplace and routine threat actors today like individual opportunistic criminals. Which are themselves grossly inferior to commercially motivated cybercrime groups. Which are themselves grossly inferior to state actors who are also commonplace and routine threat actors against national infrastructure.

The fact that commercial IT cybersecurity companies continue to fall prey to such bottom-feeder predators should tell you everything you need to know about the value of their recommendations and "expertise". If you disagree, present a software system developed using "offensive security" focused methodology (which if you present no definition I will define as using offensive specialists to design the security of a software system) that has been explicitly audited to be secure against a small team (let us say 3 person-years) of offensive specialists. And no, the absence of evidence: "There have been no publicly announced hacks on this system" does not constitute the evidence of absence. Only explicit audits that actively test the security of a system provide evidence of absence.

And, just to head-off any claims that is an impossible standard that nobody reaches, I will point to Common Criteria SKPP certifications and the seL4 proofs of correctness as examples of the alternative that has reached such standards.

mxuribe a day ago | parent | prev [-]

While i agree that cybersecurity is no way at all an easy thing, i politely disagree that it is indomitable. I'm gonna stretch your intent there to use a cheesy analogy: its like saying humans thought buidling anything over rivers was simply beyond their tech means, so bridges were never invented...But, you know, we have the technology to cross over rivers. (I know, i know, inventing bridges and establishing new standards for safer worlds vis a vis cybersecurity is not the same thing, sure, sure, ok.) :-)