Hacker News new | past | comments | ask | show | jobs | submit login

>keeps security people focused on externalities instead of getting real traction to effect the design and production of better products and systems.

A lot of the times the security people have their hands tied behind their back because a lot of these businesses don't consider security as an integral goal from the get go. All they want to do is fail fast and fail often and just get something out the door without considering security which then leads us to all sorts of ridiculous situations. This is what leads to a lot of these security professionals playing the game of "externalities" and doing the next best thing of mitigating the already poorly secured business instead of actually fixing it because it's already too late and it would "cost too much" to redo everything properly.

So long as the status quo is in place, these security people are going to be fighting a losing battle. They're evangelizing security in a marketplace where customers don't know enough to demand it and the amount the inevitable breaches take out of the bottom line is small enough to just be written off as the cost of doing business.

Why would any rational manager prioritize security when those are the facts on the ground? It just represents money spent and agility lost, without a corresponding upside big enough to justify it. (Except for your ability to sleep at night.) The only way forward is for something to change that shifts the balance of incentives for all players towards security, rather than away from it.

My pet proposal to accomplish this is to create something along the lines of Underwriters Laboratories (https://en.wikipedia.org/wiki/UL_(safety_organization)). Have an independent third party that promulgates standards for security, and can certify products that comply with those standards as secure. Give that certification a fancy logo that the products can use in their marketing, to give customers a way to look for products that comply with the standards. Work with insurers so that companies that follow the standards are understood to be lower-risk than those that do not. Etc.

Another idea is to make companies liable for data breaches. These may be unintentional, but we have similar laws for unintentional safety problems. If I sell you a hairdryer that explodes, I will be on the hook for that, even if I didn't intend for it to explode. Why shouldn't it be the same for security issues?

If I recall correctly, Bruce Schneier is a proponent of this idea.

Good idea! Relatedly, it's my understanding that European countries have much tighter infrastructure security that is tested and vetted by government agencies. It's also my understanding that we have zero of that in the U.S. Do the Europeans get better results?

If it "costs too much," arguably, our security products just suck. We've seen what people will put up with if it adds value, and security products don't add enough value for people to adopt them unless they are forced to by compliance offices.

It's really on us to provide value, and on businesses to not create privacy disasters.

There are products I think are amazing as a security person (okta, auth0, forgerock, keycloak, hashicorp vault, EFK, jenkins' owasp integrations, authy, iphone's TEE, etc) but if developers and product teams are not adopting them willingly, they suck.

What's great about these products is they provide useful plug-in services (IAM, logging, analysis, data viz, version control, alerting, etc), but it's like there is a piece missing where developers decide, "thank god this exists, it saves me weeks."

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact