• umami_wasabi
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    4 months ago

    At least have few lessons let them remember not to roll their own crypto, and respect those scary warnings. These needs to be engraved into their mind.

    I agree security audit would catch this, but that’s something after the fact. There is a need for a more preventative solution.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      4 months ago

      Security audits should be preventative. Have them before any significant change in infrastructure is released, and have them periodically as a backup.

      I had a cryptography and security class in college (I took the elective), and honestly, we didn’t cover all that much that’s actually relevant to the industry, and everything that was relevant was quickly outdated. That’s not going to be a solution, we need a greater appreciation for security audits.

      • umami_wasabi
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        4 months ago

        At least teach the concept of “don’t do it ever” won’t hurt, and won’t get outdated anytime soon.

        However, this approach will hurt security in the long term as this brings to burden to the lib dev to maintain a foolproof design, which they can burnout, quit, and leave a big vulnerbility in the future as most dev won’t touch the code again if it’s still “working.”

        Cybersecurity is very important in today’s digital landscape, and cryptography is one of the pillers. I believe it’s essential for devs to learn of core principles of cryptograhy.

        Again, audits are nice, and you can use it in various points, but it’s not silver bullet. It is just a tool, and can’t replace proper education. People are often ignorant. Audits can generate any number of warnings it can, but it’s the people needs to take corrective actions, which they can ignore or pressured to ignore. Unless it’s part of a compliances certification process that can cause them to get out of business. Otherwise, most managers are “What would I care? That cost more.”