Random Perspectives on Cybersecurity EP2
You can't secure what you don't understand.
Security is rarely a default state. In most cases, it's an additional layer. But to enforce it, you need to understand:
Common Misconfigurations & Mistakes
Common Attacks & Their Defenses
Regression Bugs: Every update might bring some new bugs.
But one thing that you fundamentally need to secure a perimeter is the understanding of the perimeter. The most important realization a cybersecurity professional can have is that every perimeter is inherently insecure. And you can't secure it completely but you can make it less vulnerable. Understanding how that perimeter is vulnerable & quantifying it is the first task. Then, figuring out what sort of security can be enforced in order to secure it is the second one.
You can't secure the level that you can't understand.
There's layers to software or hardware. Every individual layer has some function and each layer has an added abstraction. Understanding of all the levels is pretty hard to gain but you can only secure the level that you understand. You can't secure the level that you don't. You have to leave it to god with the prayer that whomsoever has designed the lower levels has taken care of the security aspect.
These are usually your vendors that you licence your goods from. But the truth is security is always an afterthought.
Security isn't the essential thing while making software.
Security isn't considered as the essential thing while making software. But loss of security is an essential event. Because to run the software, we need a Minimum Viable Product (MVP) to show the stakeholders. And stakeholders don't really care about security (cuz most of them aren't very technical). The software should function as intended.
Startups need to move & ship fast so security testing can be removed from your standard Software Development LifeCycle to reduce steps.
This mindset results in the hiring of Cybersecurity folks as a separate entity / team when the product gains momentum. So in some sense, this lack of security is very important for me in getting hired. But the truth is no matter how hard & secure you code, there's always vulnerabilities there!