5 Comments

Neatly put.

This post is a remarkable callout for enterprise security pundits and product marketers to jump in with their "casually smart" perspectives about the new paradigm shifting approach that works and accidentally coincides with what they are selling.

Should their absence be considered a hallmark for Substack readership/culture?

Expand full comment

Yeah, agreed here. How do we prevent unknown unknowns from materializing in the cloud like xenon poisoning in an RBMK reactor? Maybe Google or AWS should automatically report suspicious instances of currently used and also newly used service instances through some smart detection system?

Expand full comment

I think you make good points. These two areas of security are interrelated and dependent on one another. The software we make must be high quality to prevent it from leading to breaches of our customers and enterprise security must be high to prevent compromise of the environments used to build that software. In short, we need both and not just one or the other.

Expand full comment

Sure. I don't think I'm arguing against trying to improve AppSec: I'm just saying that it's in a vastly better state, and the industry seems to be moving in reasonable directions on its own. It used to be that you could compromise just about anything through software bugs. Nowadays, for the most-used software, the bar is far higher.

In contrast, when it comes to enterprise security, it feels like the late 1990s, and persistent attackers can usually get in without needing exotic techniques - no matter if you're a public utility in Beaver's Bottom, ID, or if you're Microsoft. And there are few prescriptions we can offer to fix that. If there is an infosec emergency, I think it's more on the "running a company" side.

Expand full comment

...which is why I don't get invited to government panels on computer security

Expand full comment