Fuck the Industry, Fuck Everything, but most importantly, Fuck You.

A few weeks ago, I had the fantastic opportunity to present at the fantastic Continuous Delivery Sydney meetup. (Slides: Security in a Continuous Delivery Model)

that's right, fuck you

that’s right – fuck you

This industry meetup is a developer-centric event, focused on talking about the tools and technologies surrounding more agile software delivery. The presentation went well, but the biggest takeaway was the level of engagement I got from the developer community, and for me, this was an eye-opener.

Traditionally, the infosec industry has treated developers like shit: we waltz in, impose a set of ridiculous rules that have little-to-zero regard for the day-to-day reality in which developers work, and sometimes even have the gall to impose penalties when our arbitrary standards aren’t met.

Very few people have bothered to talk to the people who are affected by the rules we want to impose.

Very few people have worked with the development teams, trying their hardest to meet the standards we set.

Very few people have ever tried to help with tooling and technique, changing the conversation from “lol you failed this check” to “here’s a rope to help you across the security challenge”.

Imagine software development to be a marathon: security is the team who finds it hilarious to put barely-visible hurdles in the path of the runners, neglect to tell the runners how high they are, then penalize the runners for falling over. Ridiculous, right?

"ha ha you failed the pentest"

“nope, you got csrf on your pentest  of your 100% static brochureware site try again. oh, and clickjacking.” (i wish i was joking)

To add further insult to injury, all the hurdle-makers get together for annual conferences, pat ourselves on the back and give ourselves awards for finding new ways to make the runners fall over.

take one fucking guess which conf i'm talking about.

sajkodo;f’uiqawopeujrsdlk’jcx ko’;qjrkoapew

In an increasingly agile software delivery environment, an assessment-only approach to security achieves fuck-all in the long run. Try talking to developers – typically, they’re really smart people without exposure to security, and that’s not their fault. Open the dialogue, and you’ll find that they’re willing to help you deliver more secure software.

That said, if you work in security, try talking at some events which don’t involve a bunch of security people having a circlejerk about your Next Generation Enterprise Cloud Database Firewall. No-one gives a shit, someone’s going to fuzz your crappy (I mean Enterprise-grade) perl scripts for all of 4 and a half minutes and find an auth bypass or something.

Go talk at some developer meetups, start some events and involve some non-security people. Do something, anything, other than maintain the fucking status quo.

About Norman

Sometimes, I write code. Occasionally, it even works.
This entry was posted in Computers and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s