| ▲ | w10-1 6 hours ago | |
You are asserting that security has to be hand-crafted. That is a very strong claim, if you think about it. Is it not possible to have secure software components that only work when assembled in secure ways? Why not? Conversely, what security claims about a component can one rely upon, without verifying it oneself? How would a non-professional verify claims of security professionals, who have a strong interest in people depending upon their work and not challenging its utility? | ||
| ▲ | Paracompact 4 hours ago | parent [-] | |
Not the person you are responding to, but: I would agree that at the stage of full maturity of cybersecurity tooling and corporate deployment, configuration would be canonical and painless, and robust and independent verification of security would be possible by less-than-expert auditors. At such a stage of maturity, checklist-style approaches make perfect sense. I do not think we're at that stage of maturity. I think it would be hubris to imitate the practices of that stage of maturity, enshrining those practices in the eyes of insurance underwriters. | ||