Do Security Engineers really think differently?

Friday, March 21, 2008 by Mistlee

Can't see any images? - !

Call Today For a Free Domain Consult

Recent Articles

Security Engineers Giving Tricks Away
Should security engineers and people working in security be giving our tricks away so that anyone can find them on line and use them? This is a good ethical debate for security professionals to be having. There are a number of reasons why I think that security engineers should be openly talking about hackers, hacking, protecting your company.

The ISC Code of ethics (and even though I am not a CISSP, it is a good general ethical standard that people can live with) states...

The Technology Or The Presenter?
Another interesting presentation today at the iLinc Customer Summit came from Barb Nead-Nylander of the Dow Chemical Company.

She talked about Dow's requirement for all of their online instructors (well over one hundred of them) to take an internal training and certification class before being allowed to host a meeting or course for the company.

She pointed out that expecting teachers to be completely comfortable with the web conferencing technology and tools at their disposal is no...

Click to Play

SES New York 2008: Greg Jarboe
Greg Jarboe, the President and Co-Founder of SEO-PR, discusses universal search with Mike McDonald at SES New York. Jarboe explains how universal...

Do Security Engineers really think differently?

By Dan Morrill

While in general I disagree with Bruce Schneier more often than I do agree with him, on his “Inside the Twisted Mind of the Security Professional” I have to agree with him. He has hit on one of the more fundamental differences in approach that security engineers have when it comes to solving a problem.

We do think differently, not only do we think differently our approaches are also different because we automatically think of how to abuse a system. This can be generally unpopular, but if it is deep seated in our personality, the “think evil, act good” aspect of being a security engineer, then maybe this explains a lot of what we do, and how we do it.

This does not mean that the obligation to be creative, innovative, and supportive of our compatriots in the business and IT units. This does not meant that the culture of “no” can continue, but that if we know why we do something, we can explain it much better.

In the argument that Bruce makes he says that Security Professionals don’t think about how to take care of the customer, no we think about what happens when the customer can do something on the web site, or with the program that makes it work differently than it was supposed to work.

Some of the best in the world security engineers think this way.

Call Today For a Free Domain Consult

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it. Source: Wired

This is where I agree with him, I know when I walk into the mall I can point out ever security camera, every physical security measure in the store, what dangers are with those handy key pads next to the cash register. When I look at a chunk of code, I am trying to figure out where I can break it so that I can get into some executable space in memory. Same goes for web sites; everything is fair game when a good security engineer is deep in their game.

Developers and business managers should be worried when you evil chuckling coming from the security department, that means they just found a way to take over your web site, program, or computer. You want people like this; they will save companies a lot of pain down the road with internally developed software.

About the Author:
Dan Morrill is a Security Project Manager with VMC Consulting in Redmond Washington. He works on developing MSS and IT Security outsourcing contracts...

About ITCertificationNews
A collection of resources designed to assist IT professionals evaluating various certification programs within the IT world. IT Certification Articles and UPdates

ITCertificationNews is brought to you by:

-- ITCertificationNews is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article

Unsubscribe from ITCertificationNews.
To unsubscribe from ITCertificationNews or any other iEntry publication, simply send an email request to:
IT Certification Articles and UPdates ITCertificationNews News Archives About Us Feedback ITCertificationNews Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact