|
|
|
|
|
|
by sfdcsecthrow
1508 days ago
|
|
|
Throwaway for obvious reasons. But in my experience Salesforce security org is plagued with incompetent leaders who chase arbitrary metrics that does not improve security at all. At one point in time, security team at Salesforce was stellar and did some awesome work. Dont get me wrong, there are many many smart security engineers still around but their population has been dwindling. This all started when a bunch of new leaders were hired. Instead of promoting tenured smart people, the security leaders decided to bring in their own gang of coworkers from previous employers. At the same time they slowly started pushing out tenured leaders. These new leaders are typical VPs who have long lost any technical chops and its a huge task to explain any complex technical topic to them. On top of that they don't bother understanding the fundamental business model and just want to push their agenda on to everyone. So they have added "security processes" which requires checking boxes. The more boxes you check the more metric it generates the better the leader looks. These security leaders are so disconnected from the ground reality that they don't even realize that all they are doing is adding hurdles in the path of engineers without improving any security. |
|
|
Agreed, there's a lot of interesting stuff that came out of the Security (or related orgs) at Salesforce. Red team tools, chaos tools and JA3 which we use at my current work as well for SSL/TLS fingerprinting.