[dllthomas]

"Because they tried" doesn't get a B. You're not graded on effort. What you're graded on - when it comes to defense as opposed to recovery, though both are a part of this - is how likely a breach is. Unfortunately, you don't always learn your grade (and when you do, it's bad).

"Gambling with security will always be a losing bet in the long run. Rather just make it secure. Going off some strange 'expected resources' is just asking for the time when your data somehow becomes valuable and those resources get brought (or more likely, one of your employees annoys the wrong person with too much free time)."

So, every site you deploy is going to indefinitely withstand armed assault by government forces?

[RyanZAG]

No. But if the site gets hacked, I failed. If I asked users for their credits cards and stored it in a publicly accessible plain text file or in a secure system that still gets hacked the end result is still the same. My users are having unauthorized payments coming off their credit cards. I've failed.

Maybe I can sleep better at night if I didn't go storing them in plain text and I can make up excuses easier, but I still failed. Regardless of how likely any breach was, I failed. My customers have probably jumped ship.

If I store it in plain text and I never get hacked, then I've succeeded. I'm more likely to succeed the more security I add, but if it gets stolen then it doesn't matter anymore. Basically I'm trying to imply that success or failure is a boolean based on real world results and does not depend on the amount of effort placed into the security. The security can influence the result, but once the result occurs the security I used or did not use is irrelevant.

So skimping on security is always a terrible idea. If you know of a way to increase security, then you should increase it. If you offer a bug bounty to improve security, make sure you give a reward for any possible breach that could cause you to get hacked, regardless of whose 'fault' the vulnerability is. If someone can social engineer your developer, then pay out the bounty. Maybe it won't happen next time because now the developer has learned something.

[lifeisstillgood]

This is a fascinating discussion because it betrays two fundamental attitudes of society to risk.

RyanZAG is "correct". If someone breaks into my house and steals my TV, then my security was a failure.

This leads to the next problem - its not a catastrophic failure in today's (western) society. I am probably out at work, and I am insured, and the burglar is unlikely to be waiting when I get home to murder me.

However, there have been plenty of societies in the past, and are many now, where the expectation of loss would be almost total - someone breaches your security, they take the tv, kill you and your family and burn the house down on the way out.

So its not a judgement on the resources of the attacker that matters, it is the expected consequences of the breach - the expected value of damage.

Which side of the argument you come down on depends on whether you see the Internet as basically a nice London suburb with a few bad eggs in it, or a violent amalgam of Feudal Middle England and Mogadishu on a bad day.

[dllthomas]

Great perspective!

"So its not a judgement on the resources of the attacker that matters, it is the expected consequences of the breach - the expected value of damage."

I nodded at this when I mentioned resiliency and recovery, but I still think resources of the attacker matters. A determined attacker could doubtless breach your front door with a battering ram or axe and enough time. Part of the reason you don't worry about this, I assert, is that it's not likely because the costs to the attacker (in terms of chances of getting caught and penalties if they are) are too high. Part of it, as you say, is that we have some amount of resiliency against the threats posed. And probably part of it is that most of us are not terribly inclined to do damage to each other without provocation and there are many possible targets for the few who are - I'm not really sure the degree to which we should legitimately consider that bit a part of "security" but it certainly merits weight in calculating risks.

[lifeisstillgood]

That is a good point - I factor in the security of a effective police force, a legal system that will not tolerate using threats to sign over a business for $1 - all of these are part of our security.

Curiously I am not convinced of the total damage done by these various break-ins. Stealing credit card numbers is not the same as getting the loot into a laundered bank account. Grabbing bitcoin wallets is closer, but the liquidity does not exist to extract much.

The damage is seemingly more reputational, or other internal costs to the hacked company (like paying security consultants). The actual "money the thieves ran off with and could convert into real cash" is pretty thin - would value some pointers at studies here.

[dasil003]

You're conflating two things, inappropriately in my opinion:

> If you offer a bug bounty to improve security, make sure you give a reward for any possible breach that could cause you to get hacked, regardless of whose 'fault' the vulnerability is.

This is true. There's no upside for rejecting this as "out of bounds" except for a relatively tiny sum of cash.

> If you know of a way to increase security, then you should increase it.

This I disagree with completely. If there's anything you can do with negligible cost you should do it, however there are all kinds of costs. There are usability costs, operational costs, training costs, etc, etc.

You can't hand-wave these away by declaring that any breach is failure without recognizing the fact that there is no such thing as perfect security. In fact all security is gambling, and it should be a gamble based on the best odds we can come up with professionally against the cost of failure. If something requires 100% perfect security then that thing should not be done, period.

[dllthomas]

'This is true. There's no upside for rejecting this as "out of bounds" except for a relatively tiny sum of cash.'

There can be. If the attack involved something that - done broadly - would itself cause problems even without a vulnerability, then you don't want to reward people for probing those ways without arranging it first. As a sort of extreme example, imagine hundreds of security researchers getting in the way of your paying customers while trying social engineering attacks on your staff.

[dllthomas]

No, security is about trade-offs. If you throw absurd resources toward protecting against entirely unrealistic threats and your company goes out of business, you've failed. If you have legitimately made the risks small enough, for the resources and threat model (and that threat model sufficiently matches reality), you've succeeded. There are of course some legitimate caveats, including talk of externalities and questions about how one would measure things, but I still assert my basic model is more correct than yours.

Recognition that security is only as strong as the weak link does not imply that all links must be infinitely strong.

[darkarmani]

> So skimping on security is always a terrible idea. If you know of a way to increase security, then you should increase it.

This is what all of the "security" vendors would like you to believe. It completely ignores the value of the assets you are securing.

How many rounds do you use with PBKDF2 if you want to slow down attackers? You can always add more rounds to slow down brute forcing, so how would you reconcile this with your statement of always increasing security. The same applies to bcrypt.