Hacker News new | past | comments | ask | show | jobs | submit login

I think that it could be "security as a feature"

Usually, a feature is included in a product if the marketing show that it will grow the business more than the cost of the feature. Maybe we can try the same idea ?

"We identified this vulnerability, and it will impact X % of our customer and Y % will leave (+ reputation damage) so we will loose BIGNUMBER $. However, we can correct it for SMALLNUMBER $ in Z days. Decision ?"




Security shouldn't be seen as a feature, it should be the default.

Advertising something as "secure" SHOULD be seen as silly as advertising it as "doesn't crash". But we're not ready for that, I guess.


It's absolutely hard, but you need to advertise and promote security for it to stay relevant, internally and externally. The moment it becomes the "default" I think the only way is downward.

The marketing dept should do something for that, that's their job. If Apple can tout privacy as a feature, Microsoft can find a way to have security as a shiny feature on their keynote, with internal projects rewarded for increasing security by x% etc.


With the increasing number of breaches over the years, it is 100% a feature. I see it as insurance: ideally nothing happens, but if/when something happens the company should be ready to compensate for damages.


They did that in FTA:

> In the months and years following the SolarWinds attack, Microsoft took a number of actions to mitigate the SAML risk. One of them was a way to efficiently detect fallout from such a hack. The advancement, however, was available only as part of a paid add-on product known as Sentinel.

So you sell me a submarine with screen doors, avoid fixing it for years, cripple internal processes that would fix it, and then you want to charge me for a water alarm? That's chutzpah.


I didn't think that it would be a feature to be charged for the consumer... only that it's a way to present it to top management


And where do you take those numbers from?

Also identification is one thing, but good security should mean the vulnerability didn't occur in the first place.

Then you also need to get budget for identifying vulnerabilities.

After that you need budget to research how costly the vulnerability could be.

But before getting those budgets you need budget again to propose all of that and data to prove its value.

Unless you use your own time to do all of that or accidentally stumble upon something.

I think the only realistic way to get any sort of budget is if a deep enough incident actually happens. And this will only last maybe for a year until most of the decisionmakers have been rotated with new ones wanting to only deliver again.


Real security cannot be feature.

Your complete system design and other features should be based on the idea of ”security first”, if you really want to build secure systems.


> Your complete system design and other features should be based on the idea of ”security first”, if you really want to build secure systems.

One can argue that the most secure system is the one turned off and not used. And i am not talking about devices with builtin batteries.


One can always argue that, but, fundamentally security is about limiting the systems' use for its purpose and eliminate all unwanted scenarios.

If you need to use the system, you cannot turn it off or not to use it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: