Comments by "Christian Baune" (@programaths) on "Does this make you angry?" video.

  1. This almost always leads to funny discussions! Years ago, I added WSSE to an app and the boss was like "Wow, you did it yourself ? You are sure it's secure ?". Replied something "Ain't stupid, it's a standard.". Then ensued the "but, but, but, it's documented and everyone can see how it works" 🤣 Then I had to educate him, explaining what was a signature and how hard it is to crack and almost impossible when done correctly. Hence the good documentation of these standards. And even implementing an existing standard shouldn't be taken lightly. One has to know what he is dealing with. Stuff like "side channels" are a thing ^^ I remember HeartBleed news coming on a Sunday. Put down the server on the spot, updated them (fix was available very fast!) and back online in few minutes. We did lost thousands of revenue. Boss was mad at me on Monday. Told him I will publish our database in free access on our FTP (which was SFTP, but I just said it was a new "ftp" thing to ease it in). Yes, he was rally mad and didn't understood the whole situation. Just ended up saying I would do it again because the loss can be much greater (actually, the company could close if client database is leaked). I also like: "But HTTPS is secure".
    28
  2.  @Sam_on_YouTube  You are describing somethings that applies to "no security". One major difference is "false sense of security". Which means that at some point some information that is too sensitive/be very domageable will flow through. Things you wouldn't do you you knew there was no or weak security.
    2
  3.  @tazogochitashvili6514  Not even, because in that case you use a gateway. ESB are often used to also bridge legacy services. Even in modern architecture, some services are just not accessible directly and you go first through a service which will only look if you are allowed to proceed.
    1