Infosec (-) 

I hate that as a developer any concerns I have about the corporate infosec policies are dismissed as either “laziness” (because these things I notice because they make my job harder/worse) or worse as “opposition team with no certifications”. To do my job well and ethically, I’ve had security training, just no incentive to take over priced tests on it because it won’t affect my salary.

Infosec (-) 

Making me use two different accounts to get admin access to my dev machine doubles the account attack surface we both have to worry about. If the intent is that you don’t trust Yes/No UAC and want it “signed” with a password every time, you realize you can set that as the UAC default in group policy and don’t need to force the Run As to get it?

Infosec (-) 

Of course, user behavior studies of UAC versus sudo continue to show that the “muscle memory” dismissal problem is the exact same whether or not it is Yes/No or password entry. And sudo chain unlocks for multiple calls in a session because those same studies have shown that password unlock muscle memory is actually worse and increases the likelihood of typing passwords into phishing malware. Password UAC is bad security theater.

Infosec (-) 

But let’s say password UAC was a good idea in this case despite all the evidence and user behavior studies, we’re still rotating passwords every monthish. You realize all the studies on that have shown that people use shit passwords if they have to change them often right? So two accounts is double the shit passwords every month, right? And you think the account used less frequently is going to have a better password? Or one not stored in the other account?

Infosec (-) 

(Not that I’d use intentionally shit passwords. But I am a human and I’m shit at remembering my grocery list when I just checked it an aisle back. Humans are shit at passwords and passwords are inhumane. As a developer my professional role is to remove passwords authorization from as many applications as possible, because that’s better for humans.)

Infosec (-) 

The other thing that absolutely drives me insane as a developer is TLS interception. All of my canaries are dead, all of the time. Almost every developer tool I have is yelling at me all the time that I’m in the middle of a man in the middle attack. I need to protect myself and the stuff I develop on behalf of my users and I don’t have canaries to tell me if the worst happens in these mines because the canaries are all dead.

Infosec (-) 

It’s a single point of failure! I cannot believe how many large companies still see TLS interception as a “best” practice. Must be great for the bottom lines of all the super expensive corporate firewalls still selling this madness. I’ve seen MITM attacks on NPM and all the SolarWinds headlines and some of the articles. I need these MITM canaries. It’s not just “laziness” that I need hours to configure all these CA bundles manually and disable so many errors/warnings everywhere.

Infosec (-) 

It also doesn’t help that even my suggestions to improve this shit show security theater of MITM attacks on ourselves have met with glass eyed stares and “where’s your infosec credentials, huh?”

If we are going to play “Baby CA” (and first rule of CA club is never be your own CA, but ignoring that), can we at least get it fucking right at some of the basics?

Follow

Infosec (-) 

No, the Root CA can’t be a self-signed certificate in 2021. That’s just fucking stupid on so many levels and hasn’t been allowed for *Real* Root CAs since like 1997 (and enforced in most tools since like 2007). Root CAs are cross-signed against each other because the worst could happen and a self-signed cert can’t be revoked and is (guess what?) a massive Single Point of Failure.

Speaking of which Revocation Lists are an important thing that should exist even for a “Baby CA”.

Infosec (-) 

But sure your massively overpriced firewall vendor doesn’t support building a family of cross-signed Root CAs and your vaunted credentials apparently didn’t cover Root CA Basics and I just have to expect the “self-signed cert in chain” and “no valid revocation list found” canaries to always be dead.

Infosec (-) 

Another topic: we’ve spent months dicking around with all this insane overkill private networking for Azure resources but the only mostly reliable way I have to deploy code is directly manually from a development machine. You’ve prioritized private links to my local machine over any links at all to Azure DevOps. One of these is “amusing” Theater and the other an actual code security risk I cannot get addressed no matter how much I bring it up.

Infosec (-) 

Anyway, tl;dr: I’m just a fucking developer, don’t listen to me, what the hell do I know? 🙄

Sign in to participate in the conversation
Smeap.com

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!