this post was submitted on 09 Aug 2024
89 points (96.8% liked)
Technology
59605 readers
3434 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Eh, I disagree. Cryptography really isn't something your average software engineer needs to know about, as long as they understand that you should never roll your own crypto. If you teach it in school, most students will forget the details and potentially just remember some now-insecure details from their classes.
Instead, we should be pushing for more frequent security audits. Any halfway decent security audit would catch this, and probably a bunch of other issues they have as well. Expect that from any org with revenue above some level.
At least have few lessons let them remember not to roll their own crypto, and respect those scary warnings. These needs to be engraved into their mind.
I agree security audit would catch this, but that's something after the fact. There is a need for a more preventative solution.
Security audits should be preventative. Have them before any significant change in infrastructure is released, and have them periodically as a backup.
I had a cryptography and security class in college (I took the elective), and honestly, we didn't cover all that much that's actually relevant to the industry, and everything that was relevant was quickly outdated. That's not going to be a solution, we need a greater appreciation for security audits.
At least teach the concept of "don't do it ever" won't hurt, and won't get outdated anytime soon.
However, this approach will hurt security in the long term as this brings to burden to the lib dev to maintain a foolproof design, which they can burnout, quit, and leave a big vulnerbility in the future as most dev won't touch the code again if it's still "working."
Cybersecurity is very important in today's digital landscape, and cryptography is one of the pillers. I believe it's essential for devs to learn of core principles of cryptograhy.
Again, audits are nice, and you can use it in various points, but it's not silver bullet. It is just a tool, and can't replace proper education. People are often ignorant. Audits can generate any number of warnings it can, but it's the people needs to take corrective actions, which they can ignore or pressured to ignore. Unless it's part of a compliances certification process that can cause them to get out of business. Otherwise, most managers are "What would I care? That cost more."