2/ Here's an interesting thing on state of IoT security, HT
Conversation
Replying to
3/ Original Internet security culture was/is weak because of some mix of RCRC-RERO, NSA, key leverage ideas like blockchain being in future
3
1
Replying to
4/ Another angle I've learned from DevOps people (see 'Phoenix Project') is security concerns can drive irrational decisions
1
2
4
Replying to
5/ State of s/w security culture: industry spends too much on security theater that does nothing, too little on fundamental advances
2
6
8
Replying to
5/ I think one reason for this state is that security concerns, like usability concerns, fundamentally conflict with agility concerns
1
10
Replying to
7/ Both usability and security as conceived today seem to require systems-level mental models of full product in like week 1 of project
3
3
13
Replying to
8/ But you can't fully model either user behavior or threat environment that early, to build usability/security "theory" into product DNA
5
1
8
Replying to
9/ So InfoSec people, like design people often seem to feel ignored and underappreciated until a crisis makes their role important
1
1
7
Replying to
10/ So one question I'm tracking with interest is whether IoT repeats pathologies of original web evolution or figures out "agile security"
4
5
10
Replying to
the first is already happening, but I suspect the calls coming from *actually inside the house* this time will force agility or death
1
1
Replying to
I'm biased, of course, but I think language-theoretic security langsec.org and other practices that minimise complexity …
1
2
Replying to
… are essential to building systems that *can* repel threats and respond quickly (and usefully) to vulnerabilities.

