|
|
|
|
|
|
by tshadwell
3693 days ago
|
|
|
This aricle falls foul of what I might call 'security shopping'-- passing mentions of lots of brightly coloured complex sounding security things with very little regard to what exact problem they're solving. They mention a VPN or insecure access panel having bad permissions, but recommend a mixed bag of differently coloured jellybeans as the solution without once reccomending shutting down the PHP script, allowing access from the VPN only through certificate, password and hardware two-factor authentication, and ensuring good access controls and employee on- and off boarding systems. Far more importantly, I question the efficacy of any security recommendation that doesn't mention threat modelling at all. What is it you want to protect? What's it going to cost to protect these things? What's it going to cost to lose them? What's the simplest and most effective best way of protecting these? Is it really moving your entire system to a different platform and upgrading all your cypto -- ask yourself -- are we really installing air bags, or are we building our car out of armour plates? Some kid is going to spend 2 hours on XSS in your app if you spend all your resources investing in in-datacentre encryption and service-to-service authentication. |
|
|
As someone who practices security, I found the keywords you can pull from the slide reasonable in their suggestions to follow up on. There were a couple of places he went into the weeds, and I think he probably could have talked up iOS security a bit more instead of smart cards which are a bit overkill relative to his other suggestions.
But, this is just a slide deck. Try not to rush to judgement considering we didn't hear the talk that came with it.