alt Hacker NewsSecurity products and practitioners are the classic snake oil salesmen. They are actually sales and marketing roles for help closing deals by emphasizing some security aspect. True security comes from general IT practices followed by engineers themselves.
Replies
I would be wary of making categorical claims like this, but it's unfortunately true that "security" field hasn't been doing well in a long, long time now.
Half the field is B2B "magic bullet" solutions like CrowdStrike and all the associated sales tactics - with pitches that boil down to "you give us money, we make your security issues go away". Half of what remains is mandatory certifications and other flavors of checklist-obsessed cargo cultists - often CYA-driven, often demanding the adoption of the fancy acronym of the day, regardless of the real threat profiles. Then you get the "security snake oil" - "magic bullet" systems that don't work, never did and never will, but are supported by the right influence groups and get the right pockets lined, and so are used anyway. DRM systems like WideVine and PlayReady being the prime examples. Then there are the corporate "security of our business model" shills - who pay lip service to "security", but have the true aims of "prevent anyone we don't like from doing anything that can harm our revenue streams" - with Apple being a common example.
And about a fifth of the field is people who do actual security work, and keep the sky from falling.
As the security guy. I get the feeling that on average engineers are not exactly great at general IT practises. Or even doing basic things.
> True security comes from general IT practices followed by engineers themselves
Sounds exactly like something the average security practitioner would say...
`not_sure_if.jpg`
How does this affect hiring of security engineers?
> True security comes from general IT practices followed by engineers themselves.
I have yet to meet an org whose engineers care about security, or who would not compromise security if secure practices got in the way of shipping a product or feature.
I'm a bit amazed you consistently get downvoted while you seem to speak the truth. So much gray in your comments.
> True security comes from general IT practices followed by engineers themselves.
Thank goodness engineers pop up out of the ground fully trained on good general IT practices....