The point is that it's a really bad tradeoff, because the impact to the users is high, and the impact to security is low. And yet we do it, because "You don't stop securing it just because you've found one good option", and that's a really bad reason to improve security by such a small increment with such large negative consequences.
The problem with 'defense in depth' is that it comes as close as possible to locking down systems to the point of uselessness, without actually, technically, preventing work from being done.
If you want to defend in depth - more power to you.
If the way you're "defending in depth" is mostly not adding security, and is actively making the product less useful... I'm going to call it shite.
If you blindly say "defend in depth" without actually... you know... evaluating what that defense does to the product as a whole, you're doing your job poorly.
The rules of engagement on this site call not for radical candor but for taking the most charitable interpretation of someone's words.
Maybe the OP wasn't blindly saying 'defend in depth'? Maybe they were advocating for evaluating what that defense does to the product as a whole? If they were, is their attitude worth describing as cancerous?
If that was my entire comment - I'd probably agree with you. Good thing there's about 5 other paragraphs of content in my response that provide additional context...
My take: you're stuck on the word cancer as some sort of insult, rather than an analogy. I'd argue you're being fairly uncharitable in your responses - and further... you're yet again not engaging with the actual on-topic discussion.
The other thing security people fail to realize is that when you’re hostile to UX, people start coming up with all sorts of workarounds that leave you less secure than you were before. Like the corporate managed laptop is so full of spyware that users bypass it and use their own personal device for development.
We realize that every human loves convenience and security removes conveniences. Simple As.
No matter what we do as security folks, the users will do everything possible to return to their convenience or complain about the inconvenience until the security is removed.
I’m not saying there aren’t over zealous security folk but our goal isn’t to make humans lives harder. We want to make it harder for the bad guys to ruin humans lives.
Except that it's not a matter of 'convenience', it's a matter of being able to do their jobs. Security is a hard job, in part because you have to come up with security practices that are actually workable, and keep work impediments to a minimum. It's really easy to just add more restrictions. It's hard to add security that doesn't impede the users. When I see 'defense in depth' being invoked to justify massive work impediments for minimal security improvements, I don't see effective security practices - I see a cargo cult.
not your objective is make the organización loss the less money posible by reducing the incident rate the recovery rate or the impact if you damage the org more the risk you are saving against you are liability, this isn't good vs bad thing, this is decide when the line is worth crossing and this article say at least in their opinion this open isn't, you still have multiple other layers.
I don't think that appealing to courtesy is really the play here.
We are discussing ideas about security in a place and manner that allows us to have honest and frank conversations.
I think security teams optimizing only for security is actually very apt analogy to cancer: Part of the organization is acting in a manner that is negatively impacting the organization at large - while positively impacting that subset of the organization.
Cancer is the act of some cells in your body prioritizing themselves at the expense of the whole.
Personally - I think you're digging to find an insult in that comment, and I take it as a way for you to disengage with the topic at large.
This is an attitude that is routinely used to shut out voices that don't match the current "dress code".
Trust me, I'm hardly going to be calling you cancer over the dinner table for not passing the salt. I'm using that word intentionally and carefully - in a frank and honest conversation. If you're feeling hurt (especially on behalf of someone else...) maybe go do something else?
No, that's a problem with bad engineering. That a process requires skills most people attempting it don't have isn't a problem with the process, it just means that it is hard and relatively new.
One thing I see all the time that demonstrates this incompetence is talking about something being more or less "secure" without reference to a threat model. You simply can't make reasonable tradeoffs without thinking this through, and yet nobody wants to do the exercise.
In fairness, this is not just an engineering fault. I've seen one case where a legal department freaked out when they heard about a risk analysis project in pursuit of a formal threat model - they vehemently objected to anyone producing documents about such things that could potentially surface in some discovery fight.
> One thing I see all the time that demonstrates this incompetence is talking about something being more or less "secure" without reference to a threat model. You simply can't make reasonable tradeoffs without thinking this through, and yet nobody wants to do the exercise.
Hey - I completely 100% agree. Believe it or not, I did quite a stint in software security before becoming this jaded (5+ years fulltime work at a security focused product sold primarily to large fortune 100 companies [banks - it was all banks]).
I think my problem is that for any difficult challenge... there is an answer that is simple, obvious, and incorrect.
My opinion is that the incorrect answers I see most are the two extremes: I don't care about security (BAD!). I only care about security (WORSE!!!!).
The first will eventually lead to compromised accounts/data and that can kill a company. The second will lead to products no one wants to use, which WILL kill a company.
Neither is a good spot to be. You want to find an appropriate compromise in the middle: Secure enough.
----
Side note - no one truly does the threat assessments based on threat model because no one in industry likes the answers.
For small and inconsequential threats - you are already secure enough.
For nation states - there is likely no solution that is workable if the thing is on the internet.
It's like trying to buy a secure door for your house: For most folks walking down the street, the current door is fine. When the Gov shows up with tanks - there is no door you can buy to solve the problem.
The problem with 'defense in depth' is that it comes as close as possible to locking down systems to the point of uselessness, without actually, technically, preventing work from being done.