Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They didn’t prevent this specific hack so they are completely useless?


They didn’t say “completely useless,” they said “fairly useless.”

If you look at this case even briefly, you should come to the conclusion that the “security paperwork” is fairly useless.

An FTP server compromised because of a terrible password policy? No suspicious activity alerts of any kind? Executives who (based on their comments) are clearly ignorant of what makes software actually secure?

What is the paperwork able to prevent, if it can’t prevent such fundamental problems?


Exactly. It's wonderful that there's a few thousand controls for things like password length. But things that cause massive security nightmares like "does the CTO care about security?" or "has a pentest team reviewed and audited the source?" are so fundamental and should be triggered as any new system touches more and more systems.

"Does this software touch literally every other system on the network?" should be a question that triggers a much more rigorous and deeply technical evaluation and review.

But the current processes don't work that way, they purely paperwork drills that often demonstrably make systems less safe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: