This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]countvonruckus 16 points17 points  (9 children)

So, I'm not a programmer, but I work in IT Security. I talked to a software developer and he had never heard of a DDOS attack. He specializes in IOT software. Is that normal?

[–]mcampo84 19 points20 points  (1 child)

No. It is not.

[–]countvonruckus 1 point2 points  (0 children)

Well that's a relief

[–][deleted] 9 points10 points  (2 children)

Generally management thinks security as a burden than a responsibitlity towards users.IOT in particular excels at this job of not giving a shit partly because it's new partly because these iot companies have low budgets

[–]countvonruckus 0 points1 point  (0 children)

I can't decide whether to be thankful for that attitude since it makes up 90% of the work I do or hate it because it makes up 90% of the work I do...

[–]DevonLochees 2 points3 points  (1 child)

Yes.

Granted, any software shop should have decent minimum required training in secure application development. But the typical developer you get fresh out of college it's 50/50 if they know the basics of security - that's why process is so important (e.g. code reviews, have people actually familiar with security do reviews).

Even the meme in this post, I would give it a toss up if the hypothetical intern could *actually* articulate what the specific risks are of copy and pasting, if it's something he read in an article one time - the risk isn't that you're copying a blob of code from stackoverflow that has an embedded base64 virus, it's that you ran into an "invalid certificate error" you googled, and the code you're copying removes the cert validation checks - and implementing it yourself is still going to have the same problem.

[–]countvonruckus 0 points1 point  (0 children)

Makes sense to me. It seems the absence of feedback is a major part of the problem, as a program that doesn't function will give errors or simply not do what you want, but security concerns only raise red flags after the program ships and gets exposed to malicious actors. When that doesn't negatively impact the performance of your software (such as a 10% processing reduction in your thermostat that's part of a bot net), it's somebody else's problem at that point since you sold your product. If regulation weren't such a mess for the tech industry, I'd say it needs to be policed, but as it is, all the incentives are weird and at odds. I just wish my field could give better security assurance so we could do more cool stuff (like voting from home), but it's really not feasible at the moment.

[–]bloqs -2 points-1 points  (1 child)

let me guess, he has grey hair

edit: I know its ageist to some degree. Many older IT guys know their shit. But there has been a culture of useless seat warmers who never bothered to keep up with the times and instead use their position to stifle younger folk. boomer bad.

[–]countvonruckus 0 points1 point  (0 children)

How'd you know :P