Insects
A friend told me recently his new security hire has two passions in life: security and poker. The word passion is strong and I can imagine this new hire’s use of that word and his subsequent explanation helped him to win the position. If his win was from describing his poker passion, then that’s cool and I have nothing to add.
Anyhow, this made me wonder if there's an area of security I could say I'm currently passionate for. One area did stand out and the distinction I made was between offensive and defensive security.
For me, defensive security is it.
I’m not convinced my career survival instincts are somehow overpowering my reason, but to me it feels like to be awesome at offensive security is to be an insect. Thinking back over several penetration tests I clearly remember wishing I had more knowledge of the workings of a particular exposed service or application.
This is not to say it’s not fun to be an insect at the right time. With penetration testing, it can be crazy fun to be an insect, surrounding by lots of other insects of different skills, and all attacking the same target with abandon. It’s not though when you run with a small crew and run into a service or app for which no one has familiarity.
Defense on the other hand is a lot less insect like. You can be really good yet skip out on the training for your newly deployed app server. Playing defense therefore is an evolutionary step up of sorts and requires more intelligence that playing the offensive insect (pun intended).
Ha. Only kidding.
My take is a small and intelligent team can play defense very well without the need to dive deep into their infrastructure's every exposure. That is why I like defense - you can grasp its entirety.
Trackbacks
Use the following link to trackback from your own site:
http://blog.clearnetsec.com/trackbacks?article_id=1565
