|
|
|
|
|
|
by Spearchucker
1967 days ago
|
|
|
Psychologically the enterprise software industry is actively discouraged from creating secure code. The most-heard mantra is to not do it because it’s difficult, making it a pointless exercise. Another is that security testing is too disruptive to production systems. The software industry is good at recommending specific design ciphers and algorithms, and ignoring symmetric and public key protocols (Alice and Bob). Also, many attacks today target security protocols rather than, for example, cracking passwords. Another huge impediment to creating secure systems is agile, which discourages up-front design. The average sprint duration of two weeks is too short for meaningful security testing. Testing is not feasible with nightly builds or pre-release sanity checks, either. Product owners or customer representatives are too often non-technical stakeholders that have the authority to make technical design decisions. While never a good idea, this has bad consequences on architecture and particularly on security. |
|
|