Empathy & InfoSec

My ramblings I wrote down when reflecting on the broken record that is InfoSec.

Red Team vs Dev Team

Skill-switch experiment:

“Infosec” is challenged to write one year of code with the same expectations put on a software development team as the InfoSec community.

Observation: InfoSec how did that turn out for ya? We can all retire now? AppSec solved.

“Dev” is tasked with security assessment of “InfoSec” using tools of hackers.

Observation: Dev uses existing skillset to improve code in multiple open source hacking tools, writes custom tools for more accurate results.

Bonus Points: “Dev” can actually be qualified to read “InfoSec’s” code as well and identify areas of concern whereas “InfoSec” majority cases would not qualified. “Dev” can relate to “InfoSec” expectations due to skillset and experience. This related experience can encourage acceptance even during failure.

Conclusions:

From the view of a software developer we InfoSec pros can be very myopic and annoyingly preachy sometimes, which can be reasonably perceived by others as extremely inconsiderate. Our egos chase the media credit for finding that one-hit-wonder hack or stunt while the engineers are busy grinding out millions of lines of epically useful code. The code that makes it possible for you to read this anywhere you are in the world.

InfoSec Community — Let’s make an effort to be more conscious. Next time you see a developer, tell them thank you! Because without them, InfoSec would have nothing to dramatically bitch about while getting paid like rock stars.

Something Different

Maybe the next time you write that security assessment highlighting your clients’ weaknesses and failings, make another section that details their noteworthy strengths.