Katie Paxton-Fear (InsiderPhD)Nov 25, 2022
Security issues broadly can be boiled down into 2 categories
- Seriously mindblowing 0 days no one even considered that shock and amaze you with the hackers thinking
- Developers that took shortcuts to meet some kind of deadline
Show threadKatie Paxton-Fear (InsiderPhD)Nov 25, 2022
Btw that second category isn't the fault of developers but more the external pressure on devs from project stakeholders that place shipping functionality over considering security impacts
Show threadDunstan
@insiderphd It is the fault of developers-that-take-short-cuts-because-they-don't-know-how-to-do-it-properly-but-are-too-proud/lazy-to-learn. But more usually it's not the fault of developers that are browbeaten into meeting pointless feature deadlines by project managers whose toolbox only contains "do management very assertively, keep pestering until they say yes to make you go away, then throw them under the bus"
Nov 25, 2022 at 11:23amWeb
Show threadKatie Paxton-Fear (InsiderPhD)Nov 25, 2022
@dvavasour I would question is it because they are too lazy/proud to learn, is it really laziness or that what they are measured on is fundamentally lines of code written/features implemented/deadlines met and security is rarely easily measured in the same ways, shouldn't management also take some of the blame for not prioritising developer education / making security a KPI for developers so it's not something they can do later/easily forget?
Show threadDunstanNov 25, 2022
@insiderphd Mmm, one of my interview techniques is to (where I can) probe candidates to the point where they don't know the answer. I want to see how they behave at that point. A disappointing number try to make out I was asking a different question rather than show how they act when out of their depth. The best candidates discuss the nearest equivalent space they know and approaches to get to what I'm asking about.