|
|
|
|
|
|
by TeMPOraL
627 days ago
|
|
|
Uncaring devs will stay uncaring, but I feel the bigger problem is still corporate. NIST recommendations carry little weight with corporate IT security. Certifications, compliance, and insurance do - so little will change until the revised recommendation works its way through the entire mutual appreciation society of audit agencies, "cyber" insurance providers, industry certification bodies, certification consultants, and a whole mud ball of enterprise middleware companies. I mean, take Microsoft ecosystem (Windows, SharePoint, Exchange, and other auth infra): it never had any bullshit password policies enabled by default - but every corporate Windows machine has them, because someone in corporate IT is setting it as central policy, and they're doing it because they "know better", or because the company is trying to get/keep their ISO:2007-whatever SOC2 stamp (or trying to secure a deal with another company that is), and some consultant came up the other day with a questionnaire asking if corporate systems are Secure, by for example implementing Specific Bullshit Policy. Easier to implement it and call it a day, than to contest every other checkbox on the questionnaire... |
|
|