I’m working on a security story that has drug on for close to 6 weeks now. It is the result of an early decision to turn off TLS because the mechanism for setting up the certificates wasn’t ready and just turn it back on later. Yeah, that never goes well. (This decision happened before I came into the team, so I won’t point fingers.)
I’ve finally come to a small epiphany about security. We talk a lot about security algorithms and strength and attack vectors and vulnerability surfaces. But the math and analysis parts of security seem like much more straight forward problems. There are lots of great tools for those things that should be used. The _real_ challenge to security is integration. Getting the certificates in the right places. Turning on those little configuration switches in all the right files. Specifying the right ports and routing traffic through firewalls and load balancers and TLS terminators. That seems to be where the practical complexity lies.
Maybe some day I’ll have an epiphany about how to make that happen more smoothly. 😉