[pheatherlite]

CISO and people in his office (the so-called cyber security experts) are nothing but report pushers. They run vulnerability scans on code, and whatever comes back from packages like Tenable, they send to everyone to justify their own existence. They don't consider the severity, they don't consider snd differentiate between attack surfaces and attack vectors. They just hound you and your superiors in the name of insurance liabilities... they suck. They turn developers into hounds that harass other developers for fixes. Out goes the desire to work on a software because all you're doing is patching nonsense every day because some ciso somewhere is unsatisfied. To hell with each and every ciso. Security is important and having cyber folks that have programming background is even more important. Mindless lemmings otherwise.

[prymitive]

Most of this behaviour comes from the desire by many companies to by compliant with a lot of security regulations. Which in many cases means silly rule like “you must run and action a security scanning system”. Because a lot of these scanners are just dumb wrappers running any piece of software that pretends to be a security scanner, and because the more rules does one have the more “valuable” it is, you end up with a race to scan the most. And that sadly translates into rules and reports like https://hackerone.com/reports/191220 - OPTIONS method can be used to check what methods does a web server accepts, therefore an attacker might use it to learn which methods to use for the attack. Except they can just try it with no effort. It’s this sort of “if you can see a lock then attacker will use that knowledge to know where the lock is” logic that must be followed by “let’s remove all locks so they cannot be attacked” response.

[dogleash]

Yeah, they're risk analysts, not technologists. That's not inherently bad, you need those. In a previous life I worked in a domain with a lot of risk analysis, by the end I liked a lot of them and they were usually fairly easy to have as stakeholders. But security has a track record of failing to equip the rest of a business with process adequate for the inherent volatility in risk they're supposed to be managing. In the engine room it's still dashing from fire to fire, just with better fire alarms. The things you complain about are precisely the business problems that the security group should be solving. Cybersecurity is important enough that they can get away with overbearing demands without providing holistic solutions for the organization to reach them.

[kstrauser]

That's a very narrow view, to the point of being flat-out wrong. I was a CISO. Before that, I was a staff platform engineer who wrote the software other people would be evaluating.

I never, not once, pushed an upstream dev to fix a thing. I provided plenty of PRs over the years. If they didn't get merged, we maintained our own locally patched version.

My job was to find a way for us all to do as little as possible to meet our security goals. Those goals were lofty and sometimes that turned out to require quite a bit of work. But we never, ever, made our problem someone else's problem.

You see the CISOs that are a pain in the ass. You don't see the ones quietly going about their business trying to make the world a little safer.