This industry meetup is a developer-centric event, focused on talking about the tools and technologies surrounding more agile software delivery. The presentation went well, but the biggest takeaway was the level of engagement I got from the developer community, and for me, this was an eye-opener.
Traditionally, the infosec industry has treated developers like shit: we waltz in, impose a set of ridiculous rules that have little-to-zero regard for the day-to-day reality in which developers work, and sometimes even have the gall to impose penalties when our arbitrary standards aren’t met.
Very few people have bothered to talk to the people who are affected by the rules we want to impose.
Very few people have worked with the development teams, trying their hardest to meet the standards we set.
Very few people have ever tried to help with tooling and technique, changing the conversation from “lol you failed this check” to “here’s a rope to help you across the security challenge”.
Imagine software development to be a marathon: security is the team who finds it hilarious to put barely-visible hurdles in the path of the runners, neglect to tell the runners how high they are, then penalize the runners for falling over. Ridiculous, right?
To add further insult to injury, all the hurdle-makers get together for annual conferences, pat ourselves on the back and give ourselves awards for finding new ways to make the runners fall over.
In an increasingly agile software delivery environment, an assessment-only approach to security achieves fuck-all in the long run. Try talking to developers – typically, they’re really smart people without exposure to security, and that’s not their fault. Open the dialogue, and you’ll find that they’re willing to help you deliver more secure software.
That said, if you work in security, try talking at some events which don’t involve a bunch of security people having a circlejerk about your Next Generation Enterprise Cloud Database Firewall. No-one gives a shit, someone’s going to fuzz your crappy (I mean Enterprise-grade) perl scripts for all of 4 and a half minutes and find an auth bypass or something.
Go talk at some developer meetups, start some events and involve some non-security people. Do something, anything, other than maintain the fucking status quo.