| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by zxcmx 3323 days ago

I agree that technology choices are not the best signal to use.

They're one of a variety of primitive proxies for engineering culture, depth of talent and "process maturity". IMHO there is a weak correlation with team size, but a strong small team with good culture can of course outperform a large team with worse organisational culture.

As you scale a team you get more capability, but there are more bases to cover and more value to protect. Some points along the appsec spectrum of practices and culture:

At very small team sizes, reviews of pull requests with some minimum number approvers, plus a culture of responding to comments and enough expertise on the team that someone recognises basic issues like "we shouldn't store passwords like that" or "maybe we shouldnt chuck a url parameter straight into window.location here".

Small-medium, some level of technical leadership and design going into features with security as at least a consideration. Maybe a budget for limited code reviews / pentesting now and then or someone on the team with a constructive focus on security. Some automation with mostly free tools. Issue tracking for security defects and sane priorities.

Further along / large: employees who conduct security reviews (e.g, devs cc on prs and some spelunking), pentest and work with developers during the design phase. Plug tools like static analysers, scanners / runtime analyses into ci & test envs. Conduct threat modelling. Run regular training for developers. Have devs who work on code safety (like wrapping unsafe libs or fixing bugs in key dependencies). Use an artifact repository and stay on top of bugs in dependencies. Maintain internal checklists and a security knowledge base. Sane metrics and reporting (this is surprisingly hard). Conducting 360's where you track down the root cause of bugs and see where you can stop it happening again. Processes for dealing with bug reports (security@). Bug bounties. And more.

Although all sizes of company experience a variety of incidents, where you see problems is when engineering maturity isn't commensurate with the value of the data / transactions / assets / brand.