Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
hnlmorg a day ago

I’m going through exactly this joy with a client right now.

“We need SQL injection rules in the WAF”

“But we don’t have an SQL database”

“But we need to protect against the possibility of partnering with another company that needs to use the same datasets and wants to import them into a SQL database”

In fairness, these people are just trying to do their job too. They get told by NIST (et al) and Cloud service providers that WAF is best practice. So it’s no wonder they’d trust these snake oil salesman over the developers who asking not to do something “security” related.

zelphirkalt 16 hours ago | parent [-]

If they want to do their job well, how about adding some thinking into the mix, for good measure? Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.

hnlmorg 10 hours ago | parent | next [-]

> If they want to do their job well, how about adding some thinking into the mix, for good measure?

That’s what the conversation I shared is demonstrating ;)

> Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.

Often the people enduring the rules aren’t supposed to be security specialists. Because you’ll have your SMEs (subject matter experts) and your stockholders. The stakeholders will typically be project managers or senior management (for example) who have different skill sets and priorities to the SMEs.

The problem is that when it comes to security, it’s a complicated field where caution is better than lack of caution. So if a particular project does call on following enhanced secret practices, it becomes a ripe field for snake oil salesman.

Or to put it another way: no company would get sued for following security theatre but they are held accountable if there is a breach due to not following security best practices.

So often it doesn’t matter how logical and sensible the counter argument is, it’s automatically a losing argument

immibis 8 hours ago | parent | prev [-]

They don't want to do their job well. They want to look like they're doing their job well, to people who don't know how to do the job and whose metrics are completely divorced from actual merit.