
Australian security and the cult of mediocrity - Khaine
https://claireconnelly.com.au/hello-humans/australian-security-the-cult-of-mediocrity/
======
sytringy05
This article is generalised rubbish. That's not to say there's a shortage of
badly managed, over spending IT projects in Australia (either public or
private) but I doubt it's worse here than UK, US, Denmark or where ever else.

And to blame it on "Programmers" or siloed universities is about the laziest
piece of analysis I've read in anything (including Trump tweets) for ages.

There are real issues in IT generally is Aus, eg large orgs outsourcing all
their dev work to large and small SI's, no in house capabilities for anything
other than limited governance, a reluctance to take on and train grads and a
million other things.

Security is definitely something that needs to change. In my experience IT
security has often been seen as a infrastructure job rather than a holistic
practice that covers the life cycle of systems, but the first time I worked
with a security dev team was a government org, which was great. They were much
less about the firewalls, and much more focussed on good security practices,
the poor application of which by devs were often demonstrated at fortnightly
showcases where they would demo exploits in real time. Especially awesome was
the time they dropped the entire "user" database table with some magic
Hibernate exploit.

~~~
Eridrus
The fact that there is so little software work in Australia and that it pays
much less means that about a third of my graduating class works in the US now,
and it's not the mediocre folks. Most of the good folks who stayed went into
PhD programs/NICTA.

~~~
madeofpalk
> there is so little software work in Australia

Is this actually true? Maybe me and my friends have all been extremely
fortunate, but none of us have ever had a trouble getting a job doing
development and being paid well.

Sure, there's a smaller amount of cool, hip, early-stage startups to go work
at compared to... New York, but still there are loads of people hiring if all
the recruiter spam is anything to go by.

~~~
Eridrus
Maybe I didn't look hard enough, but it seemed like the main companies in
Sydney were Atlassian, Google and banks.

And SF/NYC is exactly what I'm comparing it to. I mean, I live in NYC now and
don't have any real desire to move back.

Definitely interested in hearing about your experience though, what's the most
interesting software stuff going on in Australia?

~~~
madeofpalk
I previously worked at Nine (their digital arm, formally known as Mi9)
building their VOD platforms which was an amazing experience of great project
with great developers and designers. Made friends there for life.

Now, I'm at an airline (well, at a digital agency who are at an airline)
working on their new inflight wifi product. It's pretty interesting, talking
to all sorts of APIs onboard the plane, super optimising the site so its still
fast to run over a satellite connection.

Yeah, Sydney isn't San Francisco - that shouldn't be a surprise to anyone.
Jobs still exists, but most of them are in stable companies. If you want that
'startup life', go move to SF.

------
Untit1ed
> Wilson says the evangelism over Agile working and minimum viable products
> has resulted in poor security practices becoming commonplace procedure.

Even if it's food for thought in general, this is a pretty weak argument as
applied to the Australian government - agile practices haven't made a lot of
inroads there, particularly projects supplied by companies like IBM who tend
to use super-rigid waterfall. If anything the recent failures prove that less-
agile processes don't guarantee you anything in terms of security.

------
aryehof
My view is that any non-trivial project should have explicit non-functional
requirements relating to security (amongst others). Almost _none_ do. Creation
of those written requirements, and ensuring they are fulfilled, requires the
use of security experts. Sadly, most IT project management have no
understanding of this. It seems that a successful project has become one that
is "satisfactory" to stakeholders. Security and compliance and other non-
functional requirements too often are just afterthoughts.

------
solatic
> our software sucks because our programmers have no standards and because
> Agile can't deliver secure products

This is complete rubbish. Management's number one responsibility is to set
standards and enforce them, no matter what industry you're in. If the
programmers are churning out trash, it's management's responsibility to send
it back and hold them to standard. If management accepts trash, then the final
product will be trash. That's not the programmers' fault, that's management's
fault.

And saying that Agile can't deliver secure products is like saying field
commanders can't react to changing conditions on the field. _Agile is
specifically what allows organizations to produce secure software!_ Agile is
precisely what allows management to take exploit reports, prioritize them, and
quickly ship fixes, and not wait months on end for the next waterfall
iteration to introduce a fix. Agile is precisely what allows organizations to
introduce security policy professionals into regular planning meetings and
give them a say over the direction and manner of development, so that
organizations can take a more holistic approach to security, rather than
introduce them at the end of the waterfall during integration, where fixing
fundamental problems would result in costly delays and the result is an over-
reliance on firewalls and segmentation.

Insecure software is not inevitable. Management needs to prioritize a) hiring
competent security professionals b) budgeting enough money for salary so that
they'll actually respond to head-hunters c) give them veto/enforcement rights
to prevent shipping insecure product d) give them a seat at the table so that
security issues can be fixed and security as a holistic corporate culture can
be adopted over time.

------
aryehof
> “The truth is, programmers are hasty,” he said. “They under document, they
> under analyse, they under think, they under test, and Agile software
> development just gives them license to cut corners."

Agile development has a lot to answer for. It's sadly been largely elevated to
a religion which excludes innovation and thought about improvement.

------
microcolonel
PSA regarding scrolljacking: please, not even once, please.

Here is an archive link so you don't need to suffer it:
[http://archive.is/0ELqt](http://archive.is/0ELqt)

------
zmmmmm
Sadly I witness some of this firsthand and agree with most of it. There's a
lack of maturity around software in Australia from a whole lot of angles
compared to other countries. There's a general unwillingness to see software
as a core competency and a competitive advantage, and a default assumption
that outsourcing everything is the only sensible path. Lack of sophistication
in understanding security problems is just one symptom of it.

------
neotek
This is the same government that scoffed when people were up in arms about the
national census perpetually storing personally identifiable information for
the first time last year. "It'll never happen!" they said, "we have strong
security systems!"

