>Security teams rarely know how applications work, so their approach to security is heavy-handed and provides a false sense of protection.
Yes, sometimes there are overly bureaucratic processes in place, but as a security guy, do you know how many times we see devs self-SQL injecting themselves on a webpage? How many times they ask if their service needs to be in the DVZ? (What the fuck is that; I think they mean DMZ)? Or Why it's a problem that they're asking why they can't have "The Internet" when I ask what services their server needs externally?
Don't act like devs (or even IT Ops as a whole) has their shit together. They're at LEAST as security-crippled as security EVER is over-paranoid.
And as for this...
>Firewalls, packet inspection, virus scanning, and the like would all be completely unnecessary if code was written securely and if human beings behaved properly.
First, code will never be written completely securely; second, security is a spectrum of mitigation therefore ACLS/firewalls/scanning will ALWAYS be necessary; third, humans NEVER behave properly, inside or out therefore security will always be in business.
>Security teams rarely know how applications work, so their approach to security is heavy-handed and provides a false sense of protection.
Yes, sometimes there are overly bureaucratic processes in place, but as a security guy, do you know how many times we see devs self-SQL injecting themselves on a webpage? How many times they ask if their service needs to be in the DVZ? (What the fuck is that; I think they mean DMZ)? Or Why it's a problem that they're asking why they can't have "The Internet" when I ask what services their server needs externally?
Don't act like devs (or even IT Ops as a whole) has their shit together. They're at LEAST as security-crippled as security EVER is over-paranoid.
And as for this...
>Firewalls, packet inspection, virus scanning, and the like would all be completely unnecessary if code was written securely and if human beings behaved properly.
First, code will never be written completely securely; second, security is a spectrum of mitigation therefore ACLS/firewalls/scanning will ALWAYS be necessary; third, humans NEVER behave properly, inside or out therefore security will always be in business.