IDK, I have multiple times seen significant practical security improvements as a... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

PeterisP 5 months ago | parent | context | favorite | on: Encryption at Rest: Whose Threat Model Is It Anywa...

IDK, I have multiple times seen significant practical security improvements as a direct consequence of some "93 section questionnaire" because the very first section had a few questions "Are you doing this simple, well-known best practice thing?", which they were not, because it took some time, effort and/or money and they just didn't care.

But once the questionnaire mattered, they started doing it just so they could legally answer "yes" to that question. Things like finally changing the default admin passwords on that service they installed a year ago, and testing backup recovery to find out that it actually can't be done due to a bug in the backup script skipping some key data.

ozim 5 months ago [–]

I do agree, well my boss would most likely never allow me to spend time on security until he got hit by "93 section questionnaire" from big co.

Once contract with big co was on the line I got permission to do security and do it good.

Even though 80% of questionnaire was not applicable it still did the good job.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact