Hacker News new | ask | show | jobs
by hn_throwaway_99 1000 days ago
I agree with all that, with the one small caveat that more than anything else I think what is most important about security is a strong security culture at a company. All the checklists and compliance frameworks in the world are doomed in the face of a poor security culture. On the flip side, a strong and constantly reinforced security culture can help protect against the occasional muppet.

One example: years ago I started work at a tech company (a fintech no less), and shortly after starting I asked the head of customer service how I could get an account to access an internal admin portal (I was an engineer and needed to understand some of ops processes). "Oh, you just log in with my account, and the password is <CompanyName><Year> - all the reps just use that shared account" I got an immediate sinking, sinking feeling of despair.
1 comments
foota 1000 days ago
Better than culture is enforced guarantees, nobody can store the database password on an NFS share if it's not available to them.
link
hn_throwaway_99 1000 days ago
I honestly believe that enforced guarantees come about through security culture though.

Meaning a strong security culture means you do appropriate secrets management, and importantly, everyone understands how secrets management should be done. That way if you have the occasional breach in your automated enforced guarantees (e.g. the article talks about how Equifax missed one of their vulnerable systems to patch), that if people see a problem they will speak up.

That is, I agree with enforcing guarantees as much as possible, but any engineer on that team who came across an NFS file with DB credentials should have spoken up loudly about "Why TF are these DB credentials present on a network drive?"

link
mcny 1000 days ago
I think you will love the way Microsoft handles this. Basically, there are automated flags that seem to ding managers (M1 I believe) so they will make sure the people in their teams handle these.

> any engineer on that team who came across an NFS file with DB credentials should have spoken up loudly about "Why TF are these DB credentials present on a network drive?"

This requires empowering your employees and the lower case a while with its cross functional teams which most managers hate.

link
eli 1000 days ago
If you take away NFS shares without providing a better way to store and manage access controls, engineers will eventually just come up with an even worse solution.

I'm skeptical you can even fix this without a culture change, but you definitely can't do it just by taking things away.

link
foota 1000 days ago
Yes, I agree. I realize this isn't feasible everywhere, but having access tied to a user account (and then auditing and limiting that access) can serve as a replacement. E.g., want to select a single row? Fine, but if they're dumping the db something is phishey.

Ironically, user accounts are in one sense more secure (than a system account with a shared password) because they can use 2fa (and there's no inherent need to distribute the password).

link