• sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    4 months ago

    Security audits should be preventative. Have them before any significant change in infrastructure is released, and have them periodically as a backup.

    I had a cryptography and security class in college (I took the elective), and honestly, we didn’t cover all that much that’s actually relevant to the industry, and everything that was relevant was quickly outdated. That’s not going to be a solution, we need a greater appreciation for security audits.

    • umami_wasabi
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      4 months ago

      At least teach the concept of “don’t do it ever” won’t hurt, and won’t get outdated anytime soon.

      However, this approach will hurt security in the long term as this brings to burden to the lib dev to maintain a foolproof design, which they can burnout, quit, and leave a big vulnerbility in the future as most dev won’t touch the code again if it’s still “working.”

      Cybersecurity is very important in today’s digital landscape, and cryptography is one of the pillers. I believe it’s essential for devs to learn of core principles of cryptograhy.

      Again, audits are nice, and you can use it in various points, but it’s not silver bullet. It is just a tool, and can’t replace proper education. People are often ignorant. Audits can generate any number of warnings it can, but it’s the people needs to take corrective actions, which they can ignore or pressured to ignore. Unless it’s part of a compliances certification process that can cause them to get out of business. Otherwise, most managers are “What would I care? That cost more.”