Cybersecurity 'Experts' suck at coding. It's a problem.

Laurie I'm not sure if you're aware but this video has an ear-piercing squeak around 16kHz (likely caused by the flyback transformers in those CRTs). Most people won't hear it but it's unwatchable for those who can.

drinductor

This gives me a lot of hope as a software developer with reversing / security research dreams.

LukeAvedon

As a software engineer, a video titled in such a way as to suggest that other people aren't as good as me at something I do professionally is clearly a good thing and must be completely correct.

neilclay

I’m at the late career stage of cybersecurity and fully agree. When I started out security was at best an afterthought so my early tech career was back in the days of assembly language the original C before OO was a thing. I was always into the idea of security and some of my employers humoured my paranoia when I could articulate risks well. The reason I could do this was I not only had a technical grasp to get support from that side of the company but also quantitative business understanding that could put a monetary value to risk for the suits. These days I see far more emphasis on talking to suits than understanding the deep technical aspects of risk. Both are vital to the security role. It is more than anything else a translators role that requires fluency in both domains.

josephowens

Yeah it is an issue. When I was starting out so many "popular" security experts told me you dont need to code to use tools. In hindsight it did a lot of damage later on when you get into very advanced topics that require you to do it yourself. You reach a upper limit in skill if you dont learn how to code or develop software early on.

DroneMothership

I've always assumed that programming skills were a prerequisite for getting into this field

mikerollin

Extremely anecdotally, the people at uni in my CS course who were gunning for the cybersec track absolutely hated anything related to programming and just did the bare minimum to pass. I could never quite understand how one could be interested in the former while having an aversion to the latter; to me, they seem intrinsically entangled.

Nyocurio

As someone who is a programmer primarily but does know a bit of cybersecurity. It is okay to have non-programmers on the team, a lot of attacks are social or psychological and in addition a managerial social butterfly type is useful for convincing executives that it worth the cost to implement defences or running stuff like spear-fishing simulations.

Also it is well and good to have a mathematically verified authentication algorithm but sometimes we forget about big picture stuff like what happens if there is a black out or how the procedure of employees getting ID cards to use. In addition not having non-programmers on the team might lead to making procedures too difficult or annoying for regular people which means they'll just skip or get around them ie (Neville Long-bottom in Harry Potter keeping a list of future passwords on a sheet of paper because they changed too often) if this happens you make things even more insecure.

You do need a good amount programmers on the team but fundamentally people with different backgrounds are going to discover completely different types of vulnerabilities and four geniuses who spot the same thing are less useful than 4 competent people who spot different things.

salazar

This is also a concern in other fields. Generally, the developers of a software have never worked in the field the software is for, and the users it have never been developers (neither have their managers).

Without revealing too much, that’s why I have my job. I’m basically a liaison for our customers, as I’ve got a degree in computer science and worked as a dev for a few years, but also worked in the field we develop for and have a passion for it. So I’m in charge of meeting with customers and potential customers about their needs and helping plan our path forward with my knowledge of what the industry as a whole needs and what is possible in the timeframe given.

OctagonalSquare

Most people are mediocre or bad at their job, not only in the cyber security industry. I'm more in security management and boy do we have idiots running around in that area (both old and young).
The only area where this pattern really affects me is the medical profession. Don't wanna die some day because the doctor was crap at his job.

ishonk

« Cybersecurity » itself is a broad term it’s like saying that you work in "IT", there are so many jobs Involved in it that some things are just not your responsibility. Most of the stuff discussed here mostly apply to like software security, bug bounty, web app pen testing which are different from like network security. I do agree obv you gotta know how to read and understand code but it really depends on what you’re specializing in. How can you be a reverse engineer if you don’t know the language that you’re trying to break apart? it doesn’t make sense, obv you should learn the language. But like a network security engineer doesn’t necessarily have to worry about that. that’s why reverse engineering is it’s own thing but they’re all under the umbrella of “cybersecurity” correct me If im wrong

saintgermain

The problem is that the industry is hiring people with "certificates" instead of people with a lot of developer experiences. If you are not asking for that and if you are only making them click checklists then that's what you are getting. I always feel Cybersecurity should be a VERY senior position -- you should never hire people with no developer experience into the field.

Levelworm

I'm fond of combining dev ops, security, and dev tools into a single team/scrum group as I scale up a company and start assembling engineering teams. the best way to get devs to use security best practices is to build tooling and workflows that encourage it. poor security tooling or security by fiat usually just results in frustrated users and devs circumventing the security or avoiding working with security because of how much friction it adds to their daily workflows.

brookswift

Agreed. Originally it was we were told programming is for scripts but for many aspects in cybersecurity it’s important. Heck look at web app pentesting, you NEED an understanding of JavaScript to communicate findings to the web devs. Also secops is a must.

With the amount of free resources out there for coding, it’s a must for anyone doing infosec.

randommoosebrains

We can hear the high tone of a CRT monitor.

filiplaubert

To reverse engineer it helps when you know how to engineer things.

monad_tcp

changing the camera angle occasionally is really smart to bring back the viewer attention on a long monologue, without having to make complex visualisations or finding relevant other video material

ayoCC

There's a horrible high pitched sound playing throughout your video and it makes it painful and difficult to focus on the informative aspect of the video

jojosthenewblack

I really appreciate you making this video Laurie, it was the wake up call I needed to push myself further than the goals I had previously set for myself.

xazauhitra

I do amateur pentesting for fun based on responsible disclosure policies -- I have no formal training in cyber security, but I have been able to get very far just with my knowledge as a software engineer. Sure, I may lack specialised knowledge, but learning how to make systems teaches you how to break them as well.

GoldenBeholden