[formerly_proven]

Most jobs in "cybersecurity" are essentially just around for CYA purposes and not actually for improving security in any meaningful sense. Indeed, deployment of "security measures" for managerial CYA purposes result in things actively detrimental to security, like widely deployed, invasive snakeoil and many other things.

[horsawlarway]

It's not just the jobs - it's the WHOLE fucking "software security" industry from the top down (I worked in it for 5 years - I refuse to touch it with a 20ft pole now).

The entire industry plays a game of:

- Create a checklist (or use an existing checklist - ex: FIPS)

- Check off all the boxes on the checklist (any way they can - however they can, with complete and utter disregard for the spirit of the checklist)

- Confirm with legal that checklist is complete

- Advertise that they are "secure" to customers who happen to care (not many do, honestly) and present them with the required completed checklists

- Get hacked LEFT AND RIGHT because the whole fucking game has nothing to do with security, and everything to do with liability.

- When they're hacked, whip out the checklist again and go "couldn't have been our fault! we followed the checklist."

Repeat.

----

Now - Software security is hard. Unfathomably hard to most people (as in - they literally don't understand). People STILL fail to realize that software security is not like building a bride - I see it still even here on HN, where folks spout off bullshit comparisons to things like restaurant health/safety inspections, or architectural reviews.

The difference is that the bridge is not constantly being assaulted by an intelligent, evolving, malicious, human force. The software usually is.

And the security team can't just win one battle - they have to win every battle. Whether that's old systems, or a tired employee clicking an email link.

So I think you're basically between a rock and a hard place as an honest security worker. The job is literally impossible - so the folks who make money are the ones who compromise fastest and check off the most checklists (again - spirit of the checklist be damned).

I think the ballooning insurance payments (and the obvious eventual halt to offering cybersecurity insurance) will eventually bring the whole house of cards down, but we're still a few years out from that.

[citrin_ru]

Physical world analogies are appealing and easy to visualize but they work so poorly that I wish we stopped using them altogether for IT security. A bridge under attack is a bad analogy too. One cannot possibly build a bridge which is impossible to destroy having budget 100x of bridge building. But in IT at least in theory it is possible to build such system. If you make no mistakes. But the more complex system the less likely that no stupid mistakes where made.

[7952]

Those comparisons are a pet peave of mine. What kind of bridge can you automatically tear down and rebuild from a blueprint? Or be reliably built on top of layers of technology you barely understand. That does create moral hazard. But it can also be a solution.

[markus_zhang]

In light of this, how would you propose a developer or a would-be developer to really understand software security? I have the feeling that unless one is well versed in sys-prog concepts it's kinda just a checklist factory. I know I need to do A, B and C but I don't know in depth why.