top | item 44952411

(no title)

awithrow | 6 months ago

I think like most things there is a power law distribution when it comes to these sort of roles. I've worked with a few really good security teams in my career. The good ones work with the teams, possibly embedded on improving security. The better ones also write tools and libraries for service teams to consume. The best ones act like internal white hats, constantly probe and assess, and submit patches as well.

Sadly the vast majority of sec teams are not this and exist solely to run some tool that spits out a list of dubious vulns and then dump said list as a pile of tickets into the dev backlog.

One place i worked, the CISO even came up with some slogan for the info-sec along the lines of "observe and report" after I kept trying to show the info-sec how to run, build, test, and patch our various packages and tools their scanners would complain about.

discuss

No comments yet.