Microsoft seeing people use their products with the default settings they ship to customers
@SwiftOnSecurity a year+ ago I did azure security training, provided by Microsoft, in singapore, to folks they knew were security professionals ...
And every session of the multi-week epic involved setting up resources groups, servers, storage and users with credentials or settings that were just plain insecure. "we'll just do X- you wouldn't do this in production but for training purposes we'll do this quick work around" every time, every exercise.
"here's an rdp link" " copy this password" "open this to internet so we can X"
Teach / train /ship by default.. the way you want people to use it-- this must be, securely. Anything else is an abomination, a taint on the future... /rantoff
@kostchei @SwiftOnSecurity God, I lived exactly the same thing.
"Please don't do this, we'll just do this the quick and dirty way for the exercise."
And then you try to look up the right way to do things... and you get dependency errors, the RSA certificate generator doesn't work, the whole system is not configured with a correct DNS and your team has no control over that, which means you can't implement HTTPS...
Want to use a seeded database for the passwords? Nuh huh! You can't do that because you need to encrypt the password on route and you don't have https! Which means you can't use seeds in the database!
Error after error, trouble after trouble, and you just give up and say "fuck it, I'll just obfuscate".
Then you go to your manager, explain the situation, and they tell you there's no time to fix that because upper management just moved the delivery date.
And by the time you finished implementing stuff, a new project came... and you give up.
The rest of the things that should be done correctly is in a backlog filled with bugs, annoyances and things that will never get done - like paying that damn license for that dual licensed library or whatever.
Security is almost never a priority.
@yuki2501 @kostchei @SwiftOnSecurity
I call this the paradox of security: security is antithetical to usability, *unless* your system is attacked.
Every feature added to increase security removes some corner use-cases (by definition), and some of those corner use-cases are legitimate (in the sense that a human observer would not consider them an attack). Restrict access to only trusted machines, and now your CEO can't run a demo on someone else's laptop at a hotel, for example.
So there's *huge* incentive for a startup to cut corners here: every time they raise the difficulty of completing their goal, they up the chance they'll run out of runway before they succeed, and the odds of them being attacked start low because nobody cares about their nonsense until they make it.
... knowing these incentives has significant impact on one's risk assessment of how much one trusts *any* startup with *any* PII or other critical data.
