Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
valianteffort 5 days ago

> Experience has show we cannot build secure systems

It's an unpopular idea because its bullshit. Building secure systems is trivial and at the skill level of a junior engineer. Most of these "hacks" are not elaborate attacks utilizing esoteric knowledge to discover new vectors. They are the same exploit chains targeting bad programming practices, out of date libraries, etc.

Lousy code monkeys or medicore programmers are the ones introducing vulnerabilities. We all know who they are. We all have to deal with them thanks to some brilliant middle manager figuring out how to cut costs for the org.

9dev 5 days ago | parent | next [-]

That sounds like a perspective from deep in the trenches. A software system has SO many parts, spanning your code, other people’s code, open source software, hardware appliances, SaaS tools, office software, email servers, and also humans reachable via social engineering. If someone makes a project manager click a link leading to a fake Jira login, and the attacker uses the credentials to issue a Jira access token, and uses that to impersonate the manager to create an innocuous ticket, and a low-tier developer introduces a subtle change in functionality that opens up a hole… then you have an insecure system.

This story spans a lot of different concerns, only few of which are related to coding skills. Building secure software means defending in breadth, always, not fucking up once, against an armada of bots and creative hackers that only need to get lucky once.

darzu 5 days ago | parent | prev | next [-]

Take a broader view of what "building secure systems" means. It's not just about the code being written by ICs but about the business incentives, tech choices of leadership, the individual ways execs are rewarded, legacy realities, interactions with other companies, and a million other things. Our institutions are a complex result of all of these forces. Taken as a whole, and looking at the empirical evidence of companies and agencies frequently leaking data, the conclusion "we cannot build secure systems" is well founded.

wonderwonder 5 days ago | parent [-]

This is accurate. Especially in shops that implement firm shipping dates for Product Increments. You have X weeks to build Y features consisting of Z tickets. At the end of those X weeks you better have all your tickets done. So more often than not, the tickets are done and the features are implemented. Shops like this build incredible ticket closing machines. They are implemented to pass user acceptance testing not to hold back hackers or bad actors. When leadership incentivizes delivering features and a developers job or raise depends on delivering those features, you get what you incentivize.

KaiserPro 5 days ago | parent | prev | next [-]

> Building secure systems is trivial

I'd suggest you try and build a secure system for > 150k employees before you make sweeping statements like that.

tdrz 5 days ago | parent | prev | next [-]

Sometimes it is the management that doesn't understand anything. In their perspective, security doesn't improve the bottom line.

I worked for an SME that dealt with some sensitive customer data. I mentioned to the CEO that we should invest some time in improving our security. I got back that "what's the big deal, if anyone wants to look they can just look..."

plst 5 days ago | parent | prev | next [-]

Looking at the number of already discovered vulnerabilities in popular applications, I would say it's actually impossible to build secure systems right now. Even companies that are trying are failing. IMO it's still way too easy to introduce a vulnerability and then miss it in both review and pentests. We need big changes in all parts of the software buliding and maintaining process. Probably no one will like that, because we are still in "move fast and break things" software development age.

sublinear 5 days ago | parent | prev | next [-]

This is true, but what's even more interesting is all the things that had to fail long before you had a shop full of monkeys.

bloqs 5 days ago | parent | prev | next [-]

i used to agree with you but i feel its naive. incompetence is always guaranteed

Buttons840 5 days ago | parent | prev [-]

You're saying that creating secure systems is easy.

I'm not sure which is worse:

1) Creating secure systems is hard, and we often fail at it.

2) Creating secure systems is easy, and we often fail at it.

I don't know which is worse, but I know for sure we often fail at it.