This drives me nuts. Disclosure: I'm currently working in a security role. My company is great, and if someone on my team says "we shouldn't do this", the reaction is to meet and decide how to replace an idea with something that serves the business request and our (and our users') security needs. I love it.
But I also know I'm being spoiled here. More common in my experience is:
Software engineer: We need to do a thing.
Security team: No! We can't do thing at all. It would ruin us.
Engineer's manager: We've already started and our CEO promised it to a customer. Do your job and figure out how to secure it.
Just saying, cut that group a little slack until we know that someone actually didn't do their jobs.
To be fair sometimes the security team is wrong or being over protective. There has to be a balance because it’s too easy to think of “what if” , Mission Impossible style, scenarios that have no hearing on the real world.
You're absolutely right. I have two main job functions:
1. Instead of saying "no", saying "not that way, but let's figure this out together".
2. Evaluating risk and modeling threats: "this is who we're protecting ourselves from, and here's what happens if we fail." If a bored teenager on their couch hacked our website, it would be embarrassing because someone without a lot of resources would be able to make changes to our display system, even if no real harm was done. If North Korea hacked our user database, it would suck and be bad for our users, but in practice not too many people are going to get angry at us for being attacked by a hostile nation's government as long as we were doing the right things.
(Note: that's grossly simplified, and it's not like we're "heh we don't protect against nation states".)
There's such a thing. You can get asymptotically close to "perfect security", but it really is a risk evaluation game. Is it worth it to spend $20,000 to run a pen test and make sure we're not grossly vulnerable to attack? Sure! Is it worth spending $50B to develop our own hardened OS, hosted inside our data bunker with airgapped servers running on custom CPUs? Probably not. The challenge becomes how to identify when you're as good as you reasonably can be given the threats you realistically face on a budget that doesn't resemble a small country's GDP.
Of course there's always a scenario that could be malapropos; yet most of the time we're not comparing $20k to a figure that has a larger GDP than many countries. I always get a kick out of people on the internet who take what I say and blow it way out of proportion to try to win an argument against me that I never made in the first place.
Anyway, I agree with your last sentence; at what point is something "good enough". Lately I feel like the "good enough" in a significant amount of corporations isn't acceptable. I'm in healthcare and the absolute lack of security in my day to day is absolutely amazing.
I think you're reading stuff into my reply that I didn't intend. I didn't want to argue with you. I read your post as though you were asking a question, and I answered it.
I agree with you on that last bit. While it's important to have your compliance ducks in a row, a lot of shops seem to feel like "we've checked all the audit checkboxes so we're secure now!" No. All that stuff is nice, but having a documented process for deciding who gets root on your database servers is not the same as actually securing your database servers.
This drives me nuts. Disclosure: I'm currently working in a security role. My company is great, and if someone on my team says "we shouldn't do this", the reaction is to meet and decide how to replace an idea with something that serves the business request and our (and our users') security needs. I love it.
But I also know I'm being spoiled here. More common in my experience is:
Software engineer: We need to do a thing.
Security team: No! We can't do thing at all. It would ruin us.
Engineer's manager: We've already started and our CEO promised it to a customer. Do your job and figure out how to secure it.
Just saying, cut that group a little slack until we know that someone actually didn't do their jobs.