, 9 tweets, 2 min read Read on Twitter
Many people assume "this was done by a large company/this product was bought by many large companies/this security product was audited by a big accounting firm; so we can trust it!"

The Swiss voting system fiasco reminds us: that assumption is wrong. 1/
There's a widespread bias in this direction. I heard a colleague recently say, about a product I discovered was so architecturally flawed it cannot be remediated, "but so many big companies have bought this, it can't be that bad?" But it can. 2/
We know that big organizations, even major governments, screw up on computer security so often that they wind up in the newspapers week after week. The assumption that big organizations can't possibly be incompetent at security is constantly disproven by the real world. 3/
Note I'm not claiming all large organizations have screwed up their security, just that being a large and famous organization tells us little about whether or not security at that organization is well run. The assumption that famous, large, and old means competent is wrong. 4/
So the next time you hear a salesman explaining that this product is used by many giant firms so it must be good, or the next time you hear a colleague saying a product can't possibly be bad, it is so widely used, remember that's a fallacy. 5/
When someone tells you "this is the industry standard way of doing this, all the big companies do it this way", that doesn't mean it's even remotely acceptable from a security perspective. If that were a reasonable argument, big companies wouldn't be in trouble constantly. 6/
And do not believe that because some large and famous accounting or management consulting firm has audited a product or process that it is any good at all. Those firms have failed to find problems so frequently that their reports tell you very little. 7/
Doing security well is hard. You can't fall back on the usual corporate strategy of trust in authority. The only way to make sure something is good is to look at it carefully and check. If it's too complicated to understand, then replace it with something that isn't. 8/
And just because your marketing people insist something must be possible doesn't mean they can countermand computer science at will. If they insist that you sign off on something impossible, get your resume together quickly, before they drag you in to a career ruining event. 9/9
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Perry E. Metzger
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!