> As for when these tradeoffs are appropriate, hard to say And that is my bigges...

marcosdumay · on Sept 29, 2022

> If you don't know whether you need something, you don't need it.

That's a bad approach for security.

Starting with the solution is the wrong way to do it, but you certainly need to actively look if you have problems.

hbrn · on Sept 29, 2022

Let's say you're a startup that's hiring it's 5th engineer.

Should you do criminal background checks? Install spyware on laptops? Forbid hiring from other countries? Restrict developer access to production env? Invest all your development time into security features until you run out of those?

If you actively look for problems, you will justify all of those.

Security is not about knowing which problems exist and fixing them all. It's about knowing which risks are acceptable at your current stage. If you don't know which risks are acceptable, applying random security practices is worse than no security at all. At least when there's no security you are aware of it.

If you can't come up with an attack vector where HTTP Basic Auth causes significant problems, you don't need JWT to secure communication. And even if you can come up with an attack vector, is it really easiest one to execute?

Speaking of attack vectors, how many of the folks that use JWT for inter-service communication actually rotate encryption keys when anyone who has access to them leaves the company? My bet is very few.

P5fRxh5kUvp2th · on Sept 29, 2022

Why do security people think security trumps everything?

It's a serious question. As time goes on I more and more land on the side of Linus Torvalds wrt to security.

It kills me the amount of stupid shit I've seen done in the name of security.

If security people were to come up with driving standards, no one would be allowed to turn left because it's more dangerous then turning right.