• sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    4 months ago

    Eh, I disagree. Cryptography really isn’t something your average software engineer needs to know about, as long as they understand that you should never roll your own crypto. If you teach it in school, most students will forget the details and potentially just remember some now-insecure details from their classes.

    Instead, we should be pushing for more frequent security audits. Any halfway decent security audit would catch this, and probably a bunch of other issues they have as well. Expect that from any org with revenue above some level.

    • umami_wasabi
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      4 months ago

      At least have few lessons let them remember not to roll their own crypto, and respect those scary warnings. These needs to be engraved into their mind.

      I agree security audit would catch this, but that’s something after the fact. There is a need for a more preventative solution.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        4 months ago

        Security audits should be preventative. Have them before any significant change in infrastructure is released, and have them periodically as a backup.

        I had a cryptography and security class in college (I took the elective), and honestly, we didn’t cover all that much that’s actually relevant to the industry, and everything that was relevant was quickly outdated. That’s not going to be a solution, we need a greater appreciation for security audits.

        • umami_wasabi
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          4 months ago

          At least teach the concept of “don’t do it ever” won’t hurt, and won’t get outdated anytime soon.

          However, this approach will hurt security in the long term as this brings to burden to the lib dev to maintain a foolproof design, which they can burnout, quit, and leave a big vulnerbility in the future as most dev won’t touch the code again if it’s still “working.”

          Cybersecurity is very important in today’s digital landscape, and cryptography is one of the pillers. I believe it’s essential for devs to learn of core principles of cryptograhy.

          Again, audits are nice, and you can use it in various points, but it’s not silver bullet. It is just a tool, and can’t replace proper education. People are often ignorant. Audits can generate any number of warnings it can, but it’s the people needs to take corrective actions, which they can ignore or pressured to ignore. Unless it’s part of a compliances certification process that can cause them to get out of business. Otherwise, most managers are “What would I care? That cost more.”