|
I've been involved with several security teams, either as a builder getting my stuff reviewed by them, or as someone brought in to help them do the reviews. Besides myself, I've never came across another developer in an InfoSec team. Their background ranges from networking, desktop jockeying, manual sysadmin, audit, script running pentesters and mangerial, but never really developers, nor anyone who has been setting up automation for an operations function. I think this is partly because I contract, and the sort of orgs that bring me on are already struggling, but I think it's also just a common theme that InfoSec teams don't build, and so people that do don't want to be there. This is what leads to a lot of things we don't like. The demands to follow processes that don't really help, the buying of random products and demanding you integrate, etc. They simply lack of knowledge in Product Development leads to a lot of bad habits. Much like you suggest, my job is too easy really. The builders also flee these orgs, because dealing with bullshit bureaucracy isn't fun, so with what's left all I can really do is suggest: use a framework that deals with security considerations, and don't deviate; follow this guidence such as CIS Benchmark; Use scanning tooks and look into the input; basically basic stuff, then come back to me when I have something to look at. |