(no title)

Modern security is all about enabling modern engineering and allowing them to go ask quickly as responsible. Responsible has always been a function of risk / risk profile, always defined as likelihood * impact.

Please don't build a security product without having any experience or validating any real problems. This is especially true in security, where not every potential problem gets prioritized and solved.

I guess it's important to understand that security is political before its technical. This is because secutity is first and foremost a resource allocation problem. Alignment is towards spending the minimal amount possible on security. This means in order to buy a security product, it must promise to reduce financial exposure to breaches at a cost that is below the financial exposure. There is no moralizing here. There is only economics. Nobody cares what is right, people only optimize for what is cheapest. Cost includes engineer time spent patching security problems and the opportunity cost of that. Ignorance is often preferred. Incompetence is an easier defense than negligence. Most companies would jump at the chance to make someone else responsible/culpable for the consequences of poor security investment.

Most engineers, particularly people who work on infrastructure, are extremely wary of companies that make security promises. This is because the vast majority of security offerings are definitely security theater.

If you intend to do something in the realm of security theater, please don't, the harm is real. The harm is to your mother or your grandparents, your non technical friends. Please never engage in anything that does not actually improve security in a meaningful way, no matter how profitable it is, and it is most definitely profitable. There is a lot of snake oil in the industry.

The process of security is probably pretty close to:

  Identify what needs to be secured
  Identify the cost of poor security (so you can beg leadership for resources)
  Identify ways it can be attacked
  Identify the cost of prevention
  Prevent the things that need to be secured from being attacked successfully via technical measures
  Set up systems to find Indicators of Compromise (IOCs) to verify you haven't been attacked
  Set up systems such that when a compromise is indicated, the extent and method of penetration can be fully understood
  Set up defense in depth such that you assume one system is completely compromised and defend the other systems from it
  Sanity check your security posture via pen testing or bug bounty programs

There is also abuse:

  Identify how your systems might be abused by bad faith actors
  Set up systems to understand bad faith use of your systems
  Create and implement prevention and remediation of bad faith use of your systems
  Set up systems to audit employee usage of systems
  Gather evidence and prepare it for law enforcement
  Interact with law enforcement in regards to bad faith uses

There is also the sad side of security, compliance:

  Identify the compliances that you need
  Identify acceptable solutions for those compliances (which are frequently bad faith)
  Implement the solution to compliance requirements
  Handle the business <> legal <> technical compliance relationship
  Apply for and certify the compliance.

So:

  Understand
  Prevent/Harden
  Build/Monitor
  Verify

is kind of the process.

Most of the security folks I know talk to eachother, follow security people on twitter, or follow people like krebs. There are many mailing lists for notifcation of major security problems, many are invite only. Hacker news is probably good enough to seeing industry shaping stories. If you want to do research mining the CVE database can tell you a lot about exploits. Security folks frequent conferences. Defcon is probably the most popularized but I don't think it's industry shaping.

I think the industry overall is often shaped by major public exploits. For a while SCADA systems were the big thing. Heartbleed showed us that many of the libraries we depend on are poor quality or neglected. Leftpad showed us that many systems we implicitly trust aren't trustable. Spectre showed us that both hardware/OS are not guaranteed secure and that part of security means understanding your hardware might become 20% less efficient overnight. Solarwinds showed us that supply chain security is much more important than we thought. Russia's invasion of Ukraine has put a little bit of focus back on nation state actors and securing critical infrastructure systems (like power stations and cell towers). Pegasus showed us that zero days are absolutely abused by powerful entities and your CEO's communications may well be compromised. Colonial pipeline was a big thing.

Frankly, if I were an investor, I would not trust a product dev who went from product right into making security solutions. I would expect a person creating security solutions to have worked in a security based role and then had a desire to generalize solutions or to solve a painful problem faced in that role that that all companies face.