|
|
|
|
|
|
by ben509
1869 days ago
|
|
|
Part of the problem is it's very hard to value security because, frankly, so much security is theatrics and snake oil. For instance, look at the consumer market, which is where an executive without security knowledge is coming from. All the big VPN vendors make security promises that are, frankly, false advertising. AV products are notorious for including warnings for viruses that pad their counts. That's not counting all the security applications that are malware. And if they talk to someone familiar with the industry side, they should hear some skepticism. All the static analyzers are full of flags for things that are there to drive up their numbers. There have been a few HN stories on junk CVEs that are filed so people can put them on their resume. I had to set up a WAF at work that proudly said it mitigated the OWASP top-ten (why the top ten? is #11 not important?) which include recommendations like logging that a WAF is plainly not doing. And then I tested its defense against SQL injection and it was trivial to bypass. And if a business that isn't a tech company hires contractors to fix security issues, most of the time, those guys will do a lot of check the box BS. It's fundamentally difficult, from a business operations perspective, for a company to do security because: 1. the horizon problem that you bring up 2. it's a cost-center 3. it's not their core expertise 4. if you even ask what secure looks like, you either get filibustered with long lists of best practices, or a lot of hand waving but strident proclamations. |
|
|