Builders, Breakers, and Fixers
Currently the Information Security industry is going through an interesting time.
- We have processes that can “fix” our problems.
- We have applications that can “fix” or problems.
- We have scanners that can “fix” our problems.
- And we have platforms that can “fix” our problems.
If this is the case, then why aren’t our problems fixed?
In the past few years the industry has become one of builders (people who write code) and breakers (penetration testers). I recently presented on why I think this is an incorrect view. To summarize, builders are good at innovating and breakers are good at finding security vulnerabilities in the software builders build.
However, when the “fix” comes along, the builder has to take time out of his feature mentality and focus on refactoring code. To date, I have never met a developer who likes to refactor.
What I propose is a new archetype.
A fixer.
A fixer can come from one of two places. Either a developer who wants to learn the nitty-gritty of security or a Security minded individual that wants to learn development.
The fixer will not spend time developing new features. Although he may spend a portion of his time breaking code, his main responsibility is to address the actual issues and fix (this time without quotes) the code.
Two points about becoming a fixer.
- Ask for forgiveness later - You can become a fixer at your current role. Just start repairing the code.
- Add Value - With anything you do, you should always add value. If you are a breaker, think how much more valuable you will be to a company if you are actually doing something other than pointing out the software’s flaws.
I have been doing this in my current job role and I have never had so much satisfaction.
Keep in mind the boy scout motto:
“Always Leave It Better Than You Found It.”