Coding Skills and Security Competence
Occasionally we get questions regarding the technical level of presentations at DeepSec. Some are worried about talks at DeepSec being too „in-depth“ for their level of knowledge. You are either a coder turned security researcher hacking bits and bytes, or you are someone dealing with hierarchies and the organisational aspects of information security. It seems there is no middle ground. Well, there should be and here’s why.
Information security covers a very broad spectrum of components and technologies. You can start at the physical level and work your way up, just like the OSI model of networking. The OSI layers end where the human interaction starts, and while the network engineers and software developers go to rest, security administrators still have problems to address (they always have „issues“, their psychotherapists will confirm). In other terms this means that anyone wishing to understand, implement, break or improve information security needs to know about all the parts involved. We can’t be experts in all fields in this age, but the complexity of the world doesn’t free us from the need to have a basic understanding of the foundation. This is especially important when dealing with representatives of other departments or branches. If you start getting to information security, then you have to understand the mindsets involved. A good exercise is to catch up on the Userfriendly comic strips, identify the archetypes of the characters in your environment and trying to get a look at the world through their eyes. This is what your adversaries do, so why don’t you? Everyone has a reason how to decide in a certain situation. And since attackers can slip into disguises, the least you can do is to understand what’s going on and what a specific disguise does. Besides, a little extra empathy is good for your karma.
Now let’s speak some code. Clichés divide our digital world into developers, system administrators, suits and users (YMMV). That’s fine when you are the author of a sitcom. Clichés get into your way when dealing with information security. No matter which species your origin is, make sure you catch up on some basic understanding. Learn a programming language, understand how modern (and past) computer hardware works, install an operating system from scratch (any OS will do), delve into law books (we’ve heard law texts are just obfuscated machine language), decode the meaning of „project management“ (The Mythical Man-Month is both a classic and a good start), learn how business economics can alter your security policy (a.k.a. reality check), talk to human resources and let them explain to you how they select the right person for a position (they do have algorithms, right?), have a stroll through the company neighbourhood at night (check with your physical security contractors or the police first) or take turns with your colleagues exchanging roles (no matter for hours or whole days). If this means that suits have to code and developers have to spent a day restricting their tool chain to spreadsheets, then yes, this is exactly what it means.
The days where information security was a special branch of information technology are over. This is exactly the reason why we encourage everyone with different backgrounds to attend the DeepSec conferences. Educate yourself by exposing your ideas to others and theirs to yours. Additionally you can always trade a few hours project management with a few hours coding assembly exploits for smart phones. „#win #win“ as they say on Twitter.