Mmm, maybe… Hell yeah! Sure you can! Oh, no! Avoid at all costs!
I’m tired, can I go now?
Without a certain level of precision and context in communication, there are very few mutually understandable reference points between people who build and people who protect.
When software engineers ask for security advice, they build their language around one set of fitness criteria: “will it work?”, “will it meet pre-determined requirements?”. And in normal software engineering most of the fitness criteria are easy to assess and validate. In security, it is not so easy.
When security engineers provide advice and recommendations to software engineers - they have 2 choices:
This brings the value of the conversation to zero, and everyone wants to go home.
When software engineers end up complaining how anal, annoying and bureaucratic some of the security engineers can be (in addition to all other fine traits infosec people possess), I see a few problems:
We can’t fix the expectations problem easily, because everyone wants to work less, party more and retire early for writing javascript spaghetti code codifying dynamic discounts on latte, while security is hard, laborious and brings little direct business value.
But with some work, we can fix at least the language and mental models to some extent. And, as some wise dead people believed, language creates reality.