Generic questions breed generic answers

Jun 3, 2021 Tags: #security #musings #asymmetry-series

Mmm, maybe… Hell yeah! Sure you can! Oh, no! Avoid at all costs!

I’m tired, can I go now?

Without a certain level of precision and context in communication, there are very few mutually understandable reference points between people who build and people who protect.

When software engineers ask for security advice, they build their language around one set of fitness criteria: “will it work?”, “will it meet pre-determined requirements?”. And in normal software engineering most of the fitness criteria are easy to assess and validate. In security, it is not so easy.

When security engineers provide advice and recommendations to software engineers - they have 2 choices:

  1. Honest attempt to be exact, which turns out to be overly tedious and annoying half of the time, because another half it is just impossible and security advice turns into
  2. A set of boilerplate answers, because it is very hard to give a specific answer without having a lot of input.

This brings the value of the conversation to zero, and everyone wants to go home.

When software engineers end up complaining how anal, annoying and bureaucratic some of the security engineers can be (in addition to all other fine traits infosec people possess), I see a few problems:

We can’t fix the expectations problem easily, because everyone wants to work less, party more and retire early for writing javascript spaghetti code codifying dynamic discounts on latte, while security is hard, laborious and brings little direct business value.

But with some work, we can fix at least the language and mental models to some extent. And, as some wise dead people believed, language creates reality.