This week has been jumping through a lot of organizational hoops at work. Disclaimer: The following might be a bit vague because of NDAs. My team was given a task to design and build a particular tool and piece of infrastructure for one of our clients. Working with this particular client comes with a lot of constraints. Constraints consisting of doing things the company’s way, rather than the best way. Most of these constraints come under the guise of being more secure than industry standard. Security is obviously a valid concern but what is the responsibility of the developer and the security engineer? Excessively complex security requirements prevent developers from accomplishing things in a timely manner but the lack of those requirements creates vulnerabilities.
It’s very difficult being required to use a particular piece of software that claims to do a thing, but doesn’t actually do that thing correctly because it’s still in development, when there’s a perfectly good piece of software that does reliably do that thing.
