Hacker News new | past | comments | ask | show | jobs | submit login

What do you mean by, "I know too much about cybersecurity which is good for my end users, but bad for my feature productivity"?



One thing that pervasively infects every decision is the principle of least privilege. Basically it’s the idea that someone/something should only have the minimum access necessary to do what they/it is supposed to do. It applies to infrastructure access control, network communication, application access control, everything. Once it becomes a default part your thinking you sometimes have to make conscious tradeoffs so you don’t spend forever perfecting things and not delivering any value. Ideally a lot of that thought and effort is common or reusable though.


This is most easily explained by examples.

Before:

I'll get my clients to give me access to an S3 bucket that I can push their data to.

Now:

I'll make sure I get my clients to give me a password or public key to encrypt their data before I push it to the S3 bucket because many people fuck up security on those things.

To my end user, it's obviously more secure, but it isn't lining my pocketbook and most end users don't care about security, even if they should. Same thing with security headers or anything, really. Security slows you down at some point.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: