Recent searches
Search options
Infrastructure as code is great and all, but why is it that we've completely failed as an industry when it comes to best practices as code?
Seriously, try and learn anything about infrastructure on the internet, or building a web app, or literally any fucking thing whatsoever about software. What are you going to see?
"WARNING: Simple example demo application, do not use in production, this code is garbage and you should feel garbage for reading it. may the gods have mercy because your lawyers wi..."
I mean... Really? That's the best we can do?
If I look at the incentives of the industry as what we do and what we make easy, it'd honestly be hilarious if it wasn't so sad. We've made it ONE CLICK BUTTON levels of easy to build a hello world website, to spend millions of dollars in AWS, to allow hackers to wipe your bank accounts, and to configure everything for maximum inaccessibility, maximum tracking, maximum page bloat, and minimal safety.
Sure, configuring 23 different tools, 7 different compilers, a nested chain of object transformation 83 levels deep, mutually recursive editor configuration, subtle interactions between components, etc., is just one single "npx create-front-end-website --yolo --fuck-it" away
But setting creating an accessible web form that can take the following inputs: "your name"? That's just too fucking hard.
I can create 30 kubernetes clusters in a for loop in my shell in about 30 seconds. I can make one of them actually secure and production ready in 8 months with a team of 5 people.
WHY. WHY ARE WE LIKE THIS.
It's not even about sane and secure defaults, it's about us having a culture of not making the things that matter ergonomic that goes back 80 years and I don't have the slightest fucking clue on how we're going to fix that mountain of compounding consequences as an industry.
What I do know, however, is that it's endlessly frustrating to see the results slam into the marginalized, the beginners, and those with less resources over and over and over. I'm sick of it, honestly.
What would it even look like as an industry if we valued composition of security and accessibility even 5% as much as we valued syntax highlighting and emojis in a terminal?
... put these fucks in a conference room and say "y'know, you made some choices back in the day which are making this hard now. You wanted convenience - you got it - at the cost of security."
They moan and roar, but they will not start with security when they dream up these systems....
@tuban_muzuru the thing that kills me is that it's such an absolutely false dichotomy to think it has to be a choice between security and convenience.
There's actually three choices imo: security, convenience, and collaboration, and if you pick collaboration you get the other two for free, but asking a bunch of people steeped in capitalism and toxic masculinity to choose "collaboration" is a nonstarter so we're stuck with half convenience, no security, and perversely incentivized collaboration
By the time this consultant has been brought in - with a mandate to retrofit security into their oh-so-convenient app, it's no longer a false dichotomy: they chose convenience and never even TALKED to the security people. It's an absolutely real stinking-up-every-morning-standup problem.
@tuban_muzuru oh for sure. We have almost the opposite problem at my company. We operate with a high compliance level, but we still have difficulty with security and infrastructure and product talking to each other, and so the friction is way higher than it should be to get almost anything done. I'm working on it, but it'll take a bit to improve things
Once I'm on site, there are two groups I befriend - the DBAs and security people. The solution usually starts with putting those people together and listening to them. The apps people have been annoying both for years.
@hazelweakly can you explain that a bit more or link me something that explains it?
As much as I try to have security not be a blocker and run it in a cooperative manner, I do still think that it has to give up some convenience. Mostly in the sense that it must make doing the wrong thing harder, which often means that you have to put in a bit more effort to get anything done.
So rn I don't know what you mean by collaborative giving both convenience and security.
@myrion collaboration here is in coordination between systems and people: system <> system, system <> people, people <> people
Secure boot on macos is a fantastic example of this, and so is boot security in AWS. You have hardware trust modules in the hardware, certificates embedded in the process, and an extremely secure handoff that's so seamless that users don't even know they're participating in the system
BUT: the hardware, encryption, handoff procedure, APIs, UX, etc, all must coordinate
@myrion in the broader scale, things are less rosy for me. Using the secure boot example again: not a single OS or CSP or consumer computing device uses the same setup or sets things up in a way that the UX is uniform. There's no standard that's *actually* standard. It's simply not a solved problem
And that's really really unfortunate. Even iPhones and macos don't have the same setup. But it means that building on *top* of that stuff is really super fucking hard, if not impossible outright
@hazelweakly ah! Thanks, now I see what you mean.
That would be a huge industry-wide effort, but I can see how that would enable not having to trade convenience for security.
@hazelweakly Didn't we used to do that, and stopped because it was lumbering, not-agile, slow and the sort of thing banks do?
@hazelweakly Your point about "security, convenience, and collaboration" is a really good one. The shop I've worked at that was the best at security was intensely collaborative.
(Not... *great* at security necessarily but... well so for our container platform *by default* the control plane was behind a jumpbox, so even test systems were behind jump boxes, which folks occasionally grumbled about being over engineering but BOY were we happy about it when Log4j happened)
@hazelweakly The other thing about that place was that it was intensely pragmatic about humans-as-parts-of-systems.
When I first started there we had a repeated problem where we had to rotate all the credentials on a test system because people kept leaking the creds by sharing them in Slack.
We basically solved this by building a secrets management system that made it easier to rotate creds & less necessary to share them.
Going back to your original complaint, Hazel, I am working on creating a group of examples, called HelloSecurity.
So you're writing a web app - you look at HelloSecurity and it shows you how to do a proper TFA implementation.
Here's where it gets interesting - to me, anyway: I have never called myself a security guy. So I put this up as a private repo, GRANT you in, you look at it and say "I don't like this here's a better TFA implementation." ....
@hazelweakly Kubernaughties currently exists and has been promulgated just as a shrine to the egos of people who work(ed) at Google. That it has become so prevalent despite its complexity is because all the startup bros who want to add "snake-oil fairy glitter" to their resume.
@hazelweakly
- #K8s is the React of Infrastructure
- #React is the k8s of front-end frameworks
@hazelweakly it would be much easier to produce forms. I have worked a lot with one specific cms, and the forms component wasn't accessible because they didn't give a fuck (us lead company, I'm based in germany). So a dev from a partner (not payed by cms manufacturer) stepped up and made the component accessible for a client (legal requirement) and shared it in talks and stuff. He sayed response was overwhelming. Now, the cms company is making the forms accessible by default.
@hazelweakly the same company/cms sometimes fucked up translations and multilanguage as US leadership culture seems to think "we don't need to think about that stuff" but then go on selling the product outside of the US...
@hazelweakly there would be a lot more Rails and Django apps running on boring old servers, rendering boring server side HTML.
@hazelweakly It's the modern equivalent of "how complex is it to write a hello world", where the simple demo case is optimized at the expense of the real-world ones.
@hazelweakly "Speed to Hello World" -- worst metric ever, but endemic in this ridiculous industry.