Slashdot Mirror


Ask Slashdot: Share Your Security Review Tales

New submitter TreZ writes: If you write software, you are most likely subject to a "security review" at some point. A large portion of this is common sense like don't put plain text credentials into github, don't write your own encryption algorithms, etc. Once you get past that there is a "subjective" nature to these reviews.

What is the worst "you can't do" or "you must do" that you've been subjected to in a security review? A fictitious example would be: you must authenticate all clients with a client certificate, plus basic auth, plus MFA token. Tell your story here, omitting incriminating details.

6 of 198 comments (clear)

  1. Fooled ya! by 140Mandak262Jamuna · · Score: 4, Funny

    If you write software, you are most likely subject to a "security review" at some point

    Wrong! My code has never been subjected to any such stupid security review.

    Disclaimer: Opinions expressed here are mine, not my employer Equifax.

    Disclaimer to disclaimer: Nah! I'm not really working for Equifax

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Fooled ya! by Actually,+I+do+RTFA · · Score: 3, Funny

      Disclaimer to disclaimer: Nah! I'm not really working for Equifax

      We all know you're not working at Equifax. But do they pay well?

      --
      Your ad here. Ask me how!
  2. FBI subpoena by ahziem · · Score: 5, Funny

    I was a high-ranking official in the state department. The FBI sent me a subpoena for my private email server because I used it to discuss classified government business, so I had my IT guy wipe my private email server before I handed it over to the FBI. Later he was discovered on Reddit and confessed to the FBI, but I made sure they couldn't trace the decision back to me.

    1. Re:FBI subpoena by Major_Disorder · · Score: 4, Funny

      I was a high-ranking official in the state department. The FBI sent me a subpoena for my private email server because I used it to discuss classified government business, so I had my IT guy wipe my private email server before I handed it over to the FBI. Later he was discovered on Reddit and confessed to the FBI, but I made sure they couldn't trace the decision back to me.

      I bet you would have gotten away with it too, if it wasn't for those meddling kids.

      --
      First law of people: People are generally stupid.
  3. The security review was nothing like I expected. by Anonymous Coward · · Score: 5, Funny

    Some software I was involved with developing had to undergo a security review. Little did I realize how unprepared for this event I was!

    It started off relatively benignly. I was sitting in one of the conference rooms, waiting for the external security consultant to come in. He arrived a minute or two after I had arrived.

    "Hello.", he started off. "I'm Steve and today we'll be performing a security review of the software you and your team have developed." He opened his laptop and started loading up the source code we'd provided to him earlier. He didn't even bother with any sort of friendly small talk.

    "So I see you chose C++." he said after a minute or so of looking at the code.

    "Yes, C++14.", I confirmed.

    "Unacceptable.", he stated without hesitation.

    I was slightly taken aback. "Pardon?", I asked.

    "C++ is unacceptable.", he stated.

    "We're using modern C++ techniques, including smart pointers and RAII. We also run our code through several static and dynamic analysis tools.", I explained.

    "C++ is unacceptable.", he repeated.

    We sat in silence for a couple of minutes as he continued to scroll through the code.

    "Why didn't you use Rust?", he finally asked.

    "Rust?", I replied. "We started this project before Rust 1.0 had been released. Plus our team is more familiar with C++."

    "C++ is unacceptable.", he repeated once again.

    He was starting to get agitated. "Why the fuck didn't you use Rust?!" he asked once more.

    "I just explained why.", I responded.

    "Don't you give a fuck about guaranteed memory safety? Don't you give a fuck about threads without data races?", he asked loudly.

    "Well, yes, I do care about such things. But we can achieve those by using modern C++ sensibly."

    As expected, he replied "C++ is unacceptable. C++ is fucking unacceptable."

    I wasn't really sure what to do at this point. Clearly he didn't think C++ was an acceptable language to use.

    My pondering was cut short. He abruptly started screaming, "WHY THE FUCK DIDN'T YOU USE RUST?! DON'T YOU GIVE A FUCK ABOUT ZERO-COST ABSTRACTIONS?!"

    "C++ usually has zero-cost abstractions.", I pointed out.

    This sent him over the edge. His face started getting a very deep red color, and I could see he was getting extraordinarily angry. "C++ IS UNACCEPTABLE! C++ IS UNACCEPTABLE! YOU HAVE TO USE RUST! RUST IS THE ONLY PROGRAMMING LANGUAGE THAT RUNS BLAZINGLY FAST, PREVENTS SEGFAULTS, AND GUARANTEES THREAD SAFETY!"

    At this point I was starting to fear for my safety. I had read comments from Rust fanatics online, at places like Hacker News and Stack Overflow. But I had never expected these Rust advocates to be as egregiously agitated as this security consultant was.

    Noticing that the door to the conference room was slightly open, and thankful that I was sitting closer to the door than the consultant was, I made a dash for freedom. I slipped through the door, and immediately started running toward my manager's office.

    All the way I could hear the consultant screaming, "C++ IS UNACCEPTABLE! YOU NEED TO USE RUST BECAUSE IT HAS TRAIT-BASED GENERICS AND PATTERN MATCHING!"

    I quickly explained the situation to my manager, who was wondering what all of the yelling was about. He quickly dialed the office building's security team, but they must have been alerted beforehand by somebody else, because the consultant's yelling abruptly stopped mid-way through a rant about the importance of move semantics.

    To be perfectly honest, I have no idea what happened in the end. I assume the security consultant was promptly removed from the building. As for the security review of our software, I haven't heard about having to do any additional ones. Perhaps management realized that there were better uses for our time than listening to some lunatic berate us for using C++ instead of Rust.

  4. Re:The security review was nothing like I expected by operagost · · Score: 5, Funny

    His face started getting a very deep red color

    Like rust?

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.