| ▲ | corroclaro 3 hours ago |
| This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security". Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed. Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh. |
|
| ▲ | vladms 3 hours ago | parent | next [-] |
| > Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative. |
| |
| ▲ | ExoticPearTree 11 minutes ago | parent | next [-] | | Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company. IBM or Accenture or whoever don't need to be the only ones winning tenders. | |
| ▲ | xorcist 2 hours ago | parent | prev | next [-] | | I have (the start of a) solution, but it's a boring one: You have to have people who care about this stuff. If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part. And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked. | | |
| ▲ | dns_snek 2 hours ago | parent | next [-] | | I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)? | | |
| ▲ | xorcist an hour ago | parent [-] | | You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated. |
| |
| ▲ | latexr an hour ago | parent | prev [-] | | > You have to have people who care about this stuff. What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other. |
| |
| ▲ | mvdwoord 2 hours ago | parent | prev [-] | | Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice. |
|
|
| ▲ | bengale 3 hours ago | parent | prev | next [-] |
| The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back. |
| |
| ▲ | Maxion 3 hours ago | parent [-] | | A lot of outsourced development. The tender process + clueless buyers + tender process law(s) cause this. Whole process needs a revamp for this to not be a problem. |
|
|
| ▲ | ExoticPearTree 13 minutes ago | parent | prev [-] |
| The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck. And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco". |
