Security is a cost and nuisance. It's the first thing to be cut. To keep high se... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Nokinside on Oct 22, 2019 | parent | context | favorite | on: Equifax securities fraud class action [pdf]

Security is a cost and nuisance. It's the first thing to be cut.

To keep high security at all times you need:

1) Process aka bureaucracy. Mandatory checklists. Checklists are returned and inspected by others. Anything missing or uncertain is checked again and fixed.

2) People who are responsible for security are independent from other concerns. They can have adversarial relationship with people responsible for getting things done if there is conflict of interest. People responsible for security must have status and power to enforce it.

Consider a scenario where you need to take the system down and fix something quickly. It's completely reasonable to allow dummy password few hours when people are around fixing the problem until the system is back online.

But if there is no process in place to remove security temporarily and then restore it something is always forgotten. People who would order password to be changed is not using it and forgets the whole thing. People who use it don't say anything and it becomes new normal.

You need to mandate checklists. You force people to use them and return them. It's costly and makes things slower.

dredmorbius on Oct 22, 2019 | [–]

I'd love to see a list of organisations at which these practices are the norm.

Dealing with standard practices, most especially violations of your #2, have contributed in large part to my getting off this ride.

ngneer on Oct 22, 2019 | [–]

True. The market cannot reward what it cannot see.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact