[S]ecurity also requires a particular mindset -- one I consider essential for success in this field. I'm not sure it can be taught, but it certainly can be encouraged. "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems." This is especially true if you want to design security systems and not just implement them. Remember Schneier's Law: "Any person can invent a security system so clever that she or he can't think of how to break it." The only way your designs are going to be trusted is if you've made a name for yourself breaking other people's designs.This is pretty much the opposite of the mindset in my district.
So You Want to Be a Security Expert
Pages
▼
Sunday, June 28, 2015
The security mindset
From the site Mark linked to:
They are basically describing the QA role, not so much the security mindset. QA engineers are supposed to think about how to make things fail. Security people are supposed to think about how a hostile actor might hack his way in.
ReplyDelete