I think of myself as pretty security-conscious. But it's striking to me just how _long_ this list is. Even as someone who is trying to constantly think about this stuff, if I were faced with a list of this magnitude, I'd be tempted to throw in the towel and admit defeat right off the bat. It's no wonder so many SaaSes end up getting exposed. Even with a lot of best practices built in to so many cloud providers... how did we as an industry end up in a place where it's this dang hard to keep systems secure?
The list is pretty short compared to the audits we do every year or two. I've spent the last few years getting my company up to standard and this is the (simplified version of the) process we undertook.
1. Do an initial internal audit against a (few) known security standard(s) that are relevant to your org (ISO27001, NIST, PCI etc).
2. Create a System Security Plan document that outlines what your intended security posture is for each control in the standard you are following and also recording what your current posture is. Record evidence in this document too (screenshots etc) along with an caveats and mitigations.
3. Once you have the results create a Security Risk Management Plan (SRMP) with a risk register annex for an itemised record of gaps. This document should outline what gaps you have and categorise according to the the risk they represent for your company using the risk matrix https://en.wikipedia.org/wiki/Risk_matrix
4. Once you have the SRMP you can create a roadmap starting with the highest risk items and working down. It might take years for you to get to a good point but at least this process will focus efforts and give you a plan to tackle what seems like an insurmountable volume of work.
If you read this comment and thought "We should do this" I highly recommend to contract in a security consultancy to act as your organisations CISO to help you with this process. They will provide experience, structure and knowledge that is no doubt missing from your org. Rating risks can be non-intuitive for example.
I don't think a NIST heavy documentation centric process is as applicable to private industry, particularly startups, nor does NIST itself track the state of the industry around defenses & countermeasures. Am saying that since you are using NIST language if it not apparent to all readers.
Given that NIST is tracking so many controls (1190 controls & enhancements in the current revision) it becomes hard to see the singular burning trees from the forest view that is NIST.
Each control is a tree. You have to work through it one by one but as you do that you will find many of them (50% would not be unusual) are not applicable to your business. The standard is basically a guide rail. There are things that aren’t in it, there are things that are in it but are not relevant and there are also things that are outdated and/or against prevailing industry best practices.
I can empathize as well. And it gives me a greater appreciation of how most developers must feel about accessibility, which is my own specialty and passion.
I have to work with both constraints and I find accessibility standards to be easier to align with as they can become part of the SDLC pipeline (like code level testing). Securities' scope is far more all encompassing. The hard part for accessibility generally comes down to ensuring that people don't forget they need to think about it when they are designing features and especially changes.
Another thing that comes to mind is the list of NIST Cybersecurity Framework’s controls. The length of these lists is a reflection of the real complexity that are inherent to computer networks.
> how did we as an industry end up in a place where it's this dang hard to keep systems secure?
Shipping is easy. Shipping makes the product better. Shipping gets the customers and the funding and furthers the mission. You do what it takes to ship, to get the thing working, to do what you're burning to do, and the rest is details.
Taking the time to ensure you've thought through your authentication strategy and done your key management well does not directly do any of these. It feels like a waste of time by comparison. What does it matter? You'll fix it later. You don't need bullshit corporate malware endpoint management, you only hire good professionals.
-----
It's so easy to slip into that mindset. Because you mean well, you want only the best, but you have priorities to balance. I can empathize with everyone involved in a list like this... but speaking as a security professional I ultimately prioritize the safety of the user.
Awareness is half the battle.
Maybe some of the items in this list are beyond the scope of what’s reasonable for a given organisation at a particular size or with limited resources, but being able to identify them early and plan them into your roadmap so you can begin to address them as your product and company matures is very useful. It’s all about assessing the risk you can afford to address now and in the future against the cost of implementation and whether that’s the right balance.
