I work in AppSec for a Very Large Company. I've worked in large companies before. These are not new trends. We have programmers who do F# and other functional programming. I would think the bigger inhibitor to functional programming is that most of the existing apps are Java or .Net so unless you are building a brand new team, you reuse the skills and technology you already have working for you.
Our devs use plenty of small open source projects. We [Security] like to recommend software that we are comfortable with, but any determination of "stacks" we leave to the actual software engineering teams. If something is pretty bad, not updated, constantly having problems, etc - we might ban it... but what's your case for using poorly engineer software given alternatives?
Not sure if mom and pop is supposed to mean commercial, but not OSS? OSS we can patch and modify if necessary. We can even PR patches back based on what our "scanners" and manual testing find.
Generally, we don't care about language, most issues are in implementation not the language, and less so in more modern languages where the creators have heard about security.
The basic type of code scanning needed for PCI and other compliance is a commodity offering and is manageable cost compared to marketing and relationship management costs needed to pursue big clients.
I am not sure the OP understands what a SOC2 report says/does. It talks about pretty high level controls and practices. You certify an app/service, not a stack. If you scan and fix your bugs and have a proactive security training, it doesn't care about how you do it. There is no golden stack that will help you pass a SOC2. You may be able to make your life easier with certain services/SaaS, but the issues come up in your practices and in the actual code implemented. If you have bugs in procedural or functional programming, its the same problem from this perspective.
Vendor due diligence? Some companies have their own questions, there are also agreed standards for these that some companies opt into. I am not sure why a big company should risk their bottom line on something unproven or that isn't ready for prime-time. It's like getting an inspection when you buy a house. In the same way, your org can improve and make improvements. This is no different then adding in features some customer wants in order to win your business.
I don't understand the ultimate point, people who build functional apps shouldn't have to care about security? It's just another non-functional requirement that helps you win a broad audience. It's the same argument that says government should regulate this or that, that financial advisers shouldn't need to act as fiduciaries. It's the cost of doing business.
Maybe the OP has some weird experiences where auditors jumped on functional programming as an issue to justify not doing more work or make their lives easier, but I don't think this is something that is a commonly held belief across audit and security (if people even know what functional programming is).
I think a good parallel is OWASP for web app security. The content is free and open for the internet. OWASP doesn't directly focus on curating the content and it is left up to the community. The content grows old and stale, errors do not get corrected, and the writing is often what I would call draft quality even when its published.
There are always a lot more consumers than creators of content on any platform. Most people going to use a resource are not the same who can write about it, not everyone on YouTube has something to share or make a video. And why give it away for free when you can make a paid course, give a talk, charge consulting fees, sell a solution to a problem?
You need to align incentives. Again, why contribute to something and possibly deal with the pain of moderation for free (costs instead of gain). Should we blindly trust the wisdom of the crowds? The other cost of free, is that the community may not be capable or not interested in sufficient moderation - this leads to low quality content which chases people away, even if there is good content right next to it.
OWASP's incentives and objectives have never been 100% clear to me. There are some big security players involved, but it seems more interested in research, community, grants, etc versus content. When you look at MDN, Mozilla has a clear incentive to document these things so developers build more "standard" vs "Chrome-focused" web apps, which helps keep users on FireFox since all of their favorite sites are less likely to break without FireFox simply copying decision made by Chrome. By documenting expected action and quirks, it forces Google et al. to try to move back towards agreed upon standards.
In security, I am generally more reliant upon vendor write ups and content from people with a reputation. Security has a much smaller population than web dev. Also, for web dev a lot of people pick it up and feel comfortable writing publicly even when they are just starting out (See Dev.To). I am not sure if companies pump millions of dollars into commercial web tools beyond graphics and CMS type stuff, so I wonder if a more decentralized collection of guidance is practical for the web, not to mention that there is a lot of nuance between browsers and even recent versions.
In addition to recording, you may want to make some stills for download or for custom formatting, highlighting, etc. You can use Carbon - https://carbon.now.sh/ - which will do some auto formatting, but allow you to override. This is a bit better than just screen-shooting the IDE.
You may not want to just make one big long video - its hard to follow and then find specific key points in time. Unless you are showing a lot of interactive things and just input/output, copy and paste-able code is going to be easier for students to see and adopt. You may want more of a long tutorial document with small videos where it makes sense or you want to show something interactive.
In addition, its a lot more editing if you want something good without mistakes, etc (there are a lot of videos from big name schools online where professors do not correct themselves and just post the single unedited take). I would actually use video selectively. If you want students to easily run something you may want to utilize one of the many only IDEs that can execute code.
Depending on the tools available from your school or what you can find online you can make something very useful and interactive or you could try to use something like https://www.adaptlearning.org/
It may be zero sum or not zero sum depending on different situations.
If all employees values transparency and fairness and would rather have a lower but more fair pay, them the transparency may work.
However, the employer typically derives more profit per unit of work if they employee makes less. Also, if you are a good negotiator or you are the type to always threaten to leave if not given more pay you benefit from the opaqueness. If the company has a lot of good negotiators it may make sense to be more transparent to keep the overall wages down since no one can exercise that benefit.
There are probably other factors such as supply and demand beyond individuals at specific points in time which need to be taken into account (surge pricing?) we need someone for this project now, so we will pay them a premium even if we would normally pay them the same as everyone else, even in consideration of long terms costs this may make sense.
You implicitly assume that the employees would all (or net) make more money under a more transparent system, and I am not sure why. It may be true, but some may also accept smaller raises if they know most coworkers are at a lower salary. I can imagine a number of effects that transparency may have, and do not know their net impact.
If isolation is an issue, perhaps there is a co-working space or public space at which you can work. If you don't want to work in public, maybe you just need to go to some meetups, professional organization, makerspace, or some other type of group where people come to socialize. You may want to try a mix of tech and non-tech type groups. I found when I was running my own business in my early 20s that a local user group provided a good way to meet new customers and interact with people. I also tried things like board game meetups, "young professional" groups, etc. even if I didn't like the people or never went back, I found it a good to break up my routine. I would also make sure to spend time outside, at the public library, just leave the apartment for lunch, etc.
I have often thought about leaving tech or going to a different area within tech, I can empathize that its scary to think you are a specialized cog that can't really do anything else. It may be helpful to reach out to a career professional for some advice - for example if you went to a college/university, they usually provide career counseling for alumni, local libraries also often have resources or people who may help. If you are thinking of staying in your own business, you may want to try your local Small Business Association chapter (or equivalent if you are outside of the US).
Remember, your greatest asset is often not what you know, but that you know how to think and make critical decisions. I am sure you have learned a new programming language or figured out how to deal with a bad customer. Those are skills which can be generalized and applied in other areas. It may be hard or scary to take the step on how to apply these skills in a different area, but you may be able to think of low risk ways of trying it out. Maybe there is some type of freelancing gig outside your realm or even outside of tech you could try. Some of the networking ideas about may help you bump into someone who needs your skills - even if its not paid work, they may buy you a coffee just to pick you mind.
I would also second some of the other comments on getting a mindless or corporate job for a while, taking a vacation, tech detox, etc.
In sum, the first step is to break out of your routine and try something. You may have heard of paralysis by analysis... sometime you have to just take that first step and not worry about having the perfect optimal, zero risk plan in place.
I know many people who graduated from this school district....
"What white middle-class parents do not always understand, she said, is how much pressure recent immigrants feel to boost their children into the middle class."
This may be a great general quote, but should not be applied to this town. Immigrants moving here are not poor, not "off the boat". West Windsor is a township with mostly upper middle class people (Median Income per 2010 census was $156,110[1]) and a very high number of people with advanced degrees per capita (41% have graduate/professional degree as of 2013[2]), most of these immigrants came here with advanced degrees. People are not moving here to get ahead, they are already well established in the upper middle class. Houses are insanely expensive in West Windsor and Plainsboro, you will find people selling 3 bedroom condos in the 600k range, this is a town with a long commute to NYC or Philadelphia.
There are plenty of people of all races on both sides, I think the author is taking some liberties to up the page view count.
There likely is a backlash from a tiger mom like segment, but this article seems like a NYT reporter just trying to get something out on the heels of the recent Atlantic article[3] on the kids in Silicon Valley being so stressed at school they committ suicide.
Note 1: Moving things to GitHub or elsewhere does not remove them from SourceForge. So SF can continue to host and enjoy links on unmaintained websites, search engines etc.
Note 2: If their business model is offering popular binaries and source, they can just copy these from other sites and repackage them. Open source software allows you to do this. If no one else is interesting in bundling and monetizing, then they can buy traffic and still succeed.
Note 3: Remember that academy award winning movie from 1943? Not so great it today's light. While perhaps one of the goals of the Internet and cheap storage is to keep a copy of everything, and its often better to not re-invent the wheel, if something fall by the wayside, and its needed, it will be created.
Note 4: There are plenty of websites which catalog useful abandonware, that someone had to find a physical disk drive from. If the software has value, chances are someone will eventually repost it somewhere without a massive organized effort.
----
There is clearly value in moving over some project to GitHub or elsewhere, but if some things are not migrated or moved life will go on.
The metrics they use are not the same, so I am not sure if the AWS option is something dedicated vs the MSFT one is something you share? Is there something different from AWS that is more comparable?
I think the AWS Cloud HSM is dedicated, but not sure. They look to be about the same.
If you don't need FIPS, AWS also has the new KMS service which is way cheaper than Cloud HSM.
"you can enter any arbitrary text afterwards is so that if someone is looking over you shoulder they can't tell that it only accepts 8"
Except it is public knowledge that there is an 8-character limit. Very basic footprinting would make it clear to only pay attention to the first 8 characters.
Right it would only work if they happen to start looking at you type after you started typing, in which case they wouldn't have your full password any ways.
But in the case they see the full thing, they would write in down, go to try it, maybe type out the whole thing without even noticing there was a restriction, type ok, and bam there in. If they do notice the password could only hold 8 chars, what are the odds they wouldn't try what they have for the hell of it?
The dude must have been talking out of his behind.
Our devs use plenty of small open source projects. We [Security] like to recommend software that we are comfortable with, but any determination of "stacks" we leave to the actual software engineering teams. If something is pretty bad, not updated, constantly having problems, etc - we might ban it... but what's your case for using poorly engineer software given alternatives?
Not sure if mom and pop is supposed to mean commercial, but not OSS? OSS we can patch and modify if necessary. We can even PR patches back based on what our "scanners" and manual testing find.
Generally, we don't care about language, most issues are in implementation not the language, and less so in more modern languages where the creators have heard about security.
The basic type of code scanning needed for PCI and other compliance is a commodity offering and is manageable cost compared to marketing and relationship management costs needed to pursue big clients.
I am not sure the OP understands what a SOC2 report says/does. It talks about pretty high level controls and practices. You certify an app/service, not a stack. If you scan and fix your bugs and have a proactive security training, it doesn't care about how you do it. There is no golden stack that will help you pass a SOC2. You may be able to make your life easier with certain services/SaaS, but the issues come up in your practices and in the actual code implemented. If you have bugs in procedural or functional programming, its the same problem from this perspective.
Vendor due diligence? Some companies have their own questions, there are also agreed standards for these that some companies opt into. I am not sure why a big company should risk their bottom line on something unproven or that isn't ready for prime-time. It's like getting an inspection when you buy a house. In the same way, your org can improve and make improvements. This is no different then adding in features some customer wants in order to win your business.
I don't understand the ultimate point, people who build functional apps shouldn't have to care about security? It's just another non-functional requirement that helps you win a broad audience. It's the same argument that says government should regulate this or that, that financial advisers shouldn't need to act as fiduciaries. It's the cost of doing business.
Maybe the OP has some weird experiences where auditors jumped on functional programming as an issue to justify not doing more work or make their lives easier, but I don't think this is something that is a commonly held belief across audit and security (if people even know what functional programming is).