Hacker News new | ask | show | jobs
by Kalium 2107 days ago
I worked in a Haskell shop, and later in a Clojure shop. In both cases, engineers were happy-go-lucky about every security or privacy concern under the sun. Often they seemed to believe that being functional saved from having to worry about validating their inputs, checking authorization, or (absurdly) having access control on their critical data stores. They told me as much on several occasions, and exhibited no interest in altering these beliefs.

As you might guess, this drove me nuts. In both cases it eventually blew up in their faces and the events proved to be free of side effects. Their imperative colleagues did not have the same mindsets.

If those two shops are in any way representative, then it may perhaps be worth considering very carefully if keeping cool new technologies away from serious usage could in some scenarios be a win.
1 comments
Rickasaurus 2107 days ago
It's funny, I've never seen a dev team that really deeply internalized security without someone embedded who was an expert. It's just too hard, too easy to make a mistake.

I don't think these tools are the answer though, they make it easy for CISOs to look good, driving down the number, but is it real security?

You really need experts thinking about the security of your app. Ideally someone who thinks like a hacker.

link
Kalium 2107 days ago
You're right. You do need that person. IMO, it's a lot easier to accept their feedback when you understand that using a functional language offers you no significant security gains by virtue of being functional.

In my limited and less-than-universal experience as a security person thinking like a hacker, those scanners can and do enable real security enhancements. Keeping up on your patching is real security, as is having a system that can point out which inputs you didn't validate and what code paths they're on. Couple them with someone with the right experience and background, and you have the basis of a real application security program!

Which is to say that you're absolutely right. Having the right person in the right place is absolutely critical. I think it be possible that it might not always be sufficient.

link
bawolff 2107 days ago
Oh i agree 100% with that. Off the shelf static analysis tools have massive noise and rarely come up with useful vulns.

Most of the time they end up making a 20 page report with 500 issues that nobody reads because 499 of the issues are stupid.

(However, they can work if highly tuned to specific environment and workflow)

link