By Nat Puffer
If I have to sit in on one more meeting where a security consultant bitches about how dumb people are, quotes a t-shirt they saw at DefCon, or makes some vague statement on how business just don’t “get it” I’m going to quietly get up, walk over to them, and throw their laptop out the closest window. If by chance there are no windows in their mother’s basement / bar / secret lair said laptop will meet an untimely end against the first semi-rigid surface I see.
Here’s a little breakdown of the reality of the world Nietzsche style. Penetration testers, computer security consultants, appsec gurus, wifi wizards; we are the Destroyers. Few if any of us are Builders. I’m not even going to bother telling you why this is. If you don’t get it, buy me a beer and we can have a pleasant conversation about it. All you need to know at this juncture is that we’re massively outnumbered, and that’s a good thing. Most people want to build things; Create; Discover. It seems to be in their nature. A few of us look to see how things work; to discover the puzzle in them by picking them apart rather than building our own. It’s in our nature.
If you can accept that then you should be able to accept this. Security will *never* be in the nature of creative people who concentrate on making things. Asking them to change is pointless. It’s our job to figure out how to let them be creative and, where necessary, keep the results safe. This will be inefficient, difficult, and iterative. That’s the business you’re in.
Think I’m nuts? The next time you’re in the bookstore killing time on the way to your client take a look at the computer section. If it’s anything like the one in San Francisco you may notice that the number of books about how to create and use software looks something like this:
And that the sub-set of books on computer security looks something like this: