Hacker News new | ask | show | jobs
by lxfontes 4008 days ago
I fully agree. Sorry if this sounds like a thread hijack, but I would rephrase the question as

How to deal with people that are trying to "win" an argument.

We need secure logins. How should we do it?

(a) We should use https

(b) https is not enough. you need to guarantee that nobody is recording keystrokes on the client; you also need to guarantee the CA certificate hasn't been compromised and there is no man in the middle; you also need to guarantee that this password can only be used once... and so on
2 comments
voxic11 4008 days ago
You say "that's great you thought of all those things. Let's prioritize them and see how many we can get through in the time we have allotted to the log in page project."
link
icebraining 4008 days ago
Deadline-driven development? At least for security, that sounds like a dangerous approach. What if something that's not the first priority but is still important doesn't make the cut? Likewise, should you be adding non-important features that will increase your maintenance burden just because you have free time to write them?
link
mistermann 4005 days ago
> Deadline-driven development? At least for security, that sounds like a dangerous approach.

This is a valid opinion, but management better be privy to these discussions. I've interacted with technical teams who believe their technical opinions and decisions were completely not the business of the people who were signing their checks. Actually, even a subset of management being privy to the conversations isn't always enough - unless there's a good reason, I'd advocate for the details of conversations and especially differences of opinions to be publicly available to most anyone within an organization.

link
mattLummus 4008 days ago
I think this is an important point. Culture plays a huge part in the decision making process. Good security generally starts from an organizational acknowledgement that security is important. Everyone has deadlines and budgets so you must actively prioritize what will actually make the cut.
link
mdekkers 4008 days ago
You balance the need for absolute security with the cost, risk and impact of failure, and go from there.
link