Security is just one part of risk
I think our software industry sometimes is blindsided when it comes to security. Don’t get me wrong, I am of course in favor of good security practices. But I think we could get better at understanding the trade-offs when improving security.
At a previous employer, we partnered with a big bank. They were using our SaaS’s REST API over the Internet. For security they used
The CISO department of this particular bank reached out to us and required us to to use mutual TLS (mTLS) since it was “more secure”. I thought their request was security theatre; it would not improve our security in any particular way. Also, we had used TLS+pinning+token for many years, it worked well, had good processes in place for this, and knew how it worked.
Further, I knew that mTLS would require authentication on a different network layer. It would add more technical complexity for us. Also, we did not want to become a CA and start doing complicated CSRs. Still, the customer keps pushing for this.
.avif)
