Security!

Offensive and defensive at both code and infrastructure levels.

So many times I see devs not give a flying pancake about security. Whether it be rolling integers for sql injection or permission guarding to prevent someone executing something they shouldn't.

Why is security in this industry always the last thing to be concerned about when it's the first thing that's going to kill your business.

😓

because firewall...

Yep, IT colleague here either don't care, or as shares in firewall companies.

We don't need to fix log4j... we have a firewall.

Windows 7 is fine. We don't need security updates. We have a firewall.

You spend to much time making that app secure. Just put this password in plain text. We have a firewall... 🤯

Because most people see the security as something which takes time and money, but doesn't add value to the product they sell. Just make sure you have it in writing, so they can't blame it on you when shit hits the fan.

@JustThat It's not that hard. It's like a gun, as long as you just make sure it's not loaded, it doesn't matter it's a gun because it's no more dangerous than any other similar blunt metal object. The same way almost all remote security exploits can be prevented if you're just not a fucking idiot and ask yourself "Which inputs a third-party can control?" Don't expose 213213 different interfaces, expose one and make sure it handles the inputs properly and you're good.

Heartbleed, log4j, ... sure, these are significant problems, but to be exploited the attacker already needs some level of unsupervised access. No one will write custom software to exploit Heartbleed on your server because they know as long as they can get some kind of malicious software to run on your server, there are easier exploits to use. But if they could run it on thousands of devices because people are dumb? Yeah, better fix that exploit asap before someone does that.

@JustThat Also, handling inputs like SQL injections or overflows isn't that hard as long as you just use some basic tools like prepared statements and input validation. Usually those tools even reduce the overall amount of work you need to do, e.g. prepared statements take much less code than building SQL queries manually, even if you aren't doing anything to prevent injections.

security is a myth

@hitko log4j is relatively easy to exploit. And it does not need that much system specific code.

The solution is not using a library for every crap. Only use a library after making sure you really need it, can't write the code yourself or is to hard to do right. Things like Heartbleed can't be prevented that way. For something like TLS you should use a library, because doing it securely is hard.

Security and data privacy are things that require knowledge, hard work and love to detail.

All 3 things which cost money and time.

Most devs don't give a flying fuck cause it's their time and they don't get more money for it, instead get reprimanded cause they took too long.

And then everyone cries when shits on fire...