Correct. And "government-grade security" isn't a compliment. CISA definitely has some people who want to do the right thing, but they need budgetary control over other agencies to make it happen. (Speaking as someone who worked for the federal government for 15+ years, the most effective means of persuasion would be travel and reserved parking enforcement for Senior Executive Service members.)
CISA also doesn't have authority over DoD or IC systems, let alone the aforementioned budgetary authority to make them do it. No, it doesn't make any sense to apply a lesser standard to systems that are more sensitive. Like I said, government-grade security.
During SHA-1 deprecation for example, almost all the trouble was with the financial sector. The way the bogus issuance that led to discovering problem at StartCom / WoSign was detected begins with a financial services company that is desperately trying to get a SHA-1 certificate issued after it's too late and finds WoSign will back date the certificate for some undisclosed amount of money. Even some of the Symantec / Crosscert stuff comes back to the Korean banking and financial sector, (in the district south of the river in Seoul which we'd anglicize "Gangnam" yes that Gangnam...). And lots of "We must have RSA kex" was the financial sector too.
You've probably got a chip card as credit card or debit card, but even though that chip is relatively a technological heavyweight (compared to things like your employee badge that authorises access to the shared office printer, or a public transit card) the crypto in it is... not so hot, and the surrounding infrastructure built by financial companies is awful.
And the chip card doesn't actually secure the thing you care about - your money - it only secures the thing the issuer cares about, tying your transaction to you. Actual financial transfers are done entirely on a trust basis like it's still the 19th century, the card just presents authorization which is optional.
what I find most frustrating is that finance institution buy extremely overpriced and brittle software from renowned vendors not because of technical excellence but for risk management: they want a supplier to blame when something goes wrong.
the problem with this is that nowadays suppliers are stronger in defending themselves from such blames than they are in writing good software.
furthermore, the software being sold is very pricey and the cost of customising it often exceeds the cost of the software itself.
then, 9 times out of 10 the issues lie in the customisations, and that doesn’t surprise, as the institution will be using most the custom parts as those are the ones they need most. here the vendors have even more grip in demonstrating that it’s the customer requirements’ fault, and not their crappy software, that confuses the concepts of “database” and “application server”.
I try to counter this by writing solid, robust software using open source components, giving back when possible, perfectly filling the company’s requirements, well integrated and reasonably cheap to maintain. slowly, this can help in abandoning vendors and building in-house know-how.
I find this crucial because the quality of software sold by some vendors is very very low, and getting worse.
