DEV Community

Cover image for Less obvious parts of security asymmetries, by Eugene Pilyankevich
Cossack Labs
Cossack Labs

Posted on

2 2

Less obvious parts of security asymmetries, by Eugene Pilyankevich

Open up a new approach to data security with Eugene Pilyankevich, CTO at Cossack Labs, intellectual exercise about infosec.


“If you’ve been around infosec industry for a while, you might be familiar with an old adage:

defender has to get most (if not all) things right to meet his goals, while attacker has to get a few things right and he wins.

This is unfair, but the closer you look, the more asymmetries unfold: for example, what exactly does “get things right” mean? It’s an interesting mental exercise, so let’s do it together.

When we discuss “setting things up properly” and “getting things right” in a security context, we lack a proper “definition of done” for large-scale security systems and their subcomponents (security controls). Mostly because our decisions are betting against unknown unknowns. We go all the way to turn them into known unknowns by addressing two extremes of the spectrum and filling space in-between: from external risk to internal posture.

  • Moving from the outside, we analyse known threats and think of our ways to protect against them.
  • Moving from the inside, we look at attack surface, failure scenarios and in best cases ponder “what will we do about it?” before picking applicable standard and set of best practices.

Efforts meet somewhere in the middle, and if you’re doing it right - you already have a proper understanding of business risks related to security, made a set of risk management decisions, and are now staring at long lists of “do this and do that” coming from compliance requirements and best industry standards mapped onto your unique architecture and set of constraints.

Unfortunately, it does not lead you to a definite answer - “did I get things right”? Security failures after humongous budgets spent on security hint us that getting things right is either very hard or totally impossible.”


This was the first part of the CTO blog post by Eugene Pilyankevich. Get to the real kicker story here: I think the idea that “getting things right is very hard” has something to do with... or follow @9gunpi and @CossackLabs for more data security insights.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay