Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
vladms 3 hours ago

> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity

So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.

ExoticPearTree 12 minutes ago | parent | next [-]

Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.

IBM or Accenture or whoever don't need to be the only ones winning tenders.

xorcist 2 hours ago | parent | prev | next [-]

I have (the start of a) solution, but it's a boring one:

You have to have people who care about this stuff.

If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.

And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.

dns_snek 2 hours ago | parent | next [-]

I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?

xorcist an hour ago | parent [-]

You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated.

latexr an hour ago | parent | prev [-]

> You have to have people who care about this stuff.

What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.

mvdwoord 2 hours ago | parent | prev [-]

Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.