> Part of this is that nobody has cared about security since the beginning, for basically anything in tech.
> It’s an industry-wide issue that permeates every level of the stack.
Can you explain? I don't understand. Here's my take.
Let's start from the bottom of the stack. CPU has some good security protections. They have ways to ensure that boot code is signed. They have hardware protection for memory. They have memory encryption to isolate VMs. They have many amazing security technologies. I can run VM inaccessible by host.
Let's move to OS. Well, there's lot of security stuff in any OS. Process isolation, namespace isolation, encrypted storage.
Next level is container orchestrator which happens to be Kubernetes these days. Again, there's lots of security stuff there. Built-in and add-ons. Everything is authenticated with cryptography. Many ways to implement very granular secret sharing. Secret stuff is encrypted in-rest.
Next level is application framework. Can't tell for every framework, but all frameworks I've seen so far was quite security-cautious. They try to safeguard known security issues (like SQL injections), they make it easy to add security layers on top, and so on.
Nobody cared about security in 1984, I guess. That's not the case anymore. Everyone cares about security. May be there's still space for improvement.
The only people who don't care about security are end-users. They don't even know what security is. They don't care about their passwords. They don't care about sharing their access. They don't care to check domain before typing password.
Also some application developers don't care much about security, that I admit. But that's not the every level of the stack. That's the last level of the stack.
Zero days capable of nuking the OS are not going to be found in random apps or malware. Anyone with that kind of ability will be using it for nation-state targeted intelligence ops, not wasting it on random individuals.
> It’s an industry-wide issue that permeates every level of the stack.
Can you explain? I don't understand. Here's my take.
Let's start from the bottom of the stack. CPU has some good security protections. They have ways to ensure that boot code is signed. They have hardware protection for memory. They have memory encryption to isolate VMs. They have many amazing security technologies. I can run VM inaccessible by host.
Let's move to OS. Well, there's lot of security stuff in any OS. Process isolation, namespace isolation, encrypted storage.
Next level is container orchestrator which happens to be Kubernetes these days. Again, there's lots of security stuff there. Built-in and add-ons. Everything is authenticated with cryptography. Many ways to implement very granular secret sharing. Secret stuff is encrypted in-rest.
Next level is application framework. Can't tell for every framework, but all frameworks I've seen so far was quite security-cautious. They try to safeguard known security issues (like SQL injections), they make it easy to add security layers on top, and so on.
Nobody cared about security in 1984, I guess. That's not the case anymore. Everyone cares about security. May be there's still space for improvement.
The only people who don't care about security are end-users. They don't even know what security is. They don't care about their passwords. They don't care about sharing their access. They don't care to check domain before typing password.
Also some application developers don't care much about security, that I admit. But that's not the every level of the stack. That's the last level of the stack.