u/notgivingupprivacy

Note - I’m in appsec, and I can’t speak to all security disciplines. But people seem to apply the narrative to all security disciplines. I think this type of thinking is extremely outdated. THIS DOES NOT PERTAIN to the job market - I’m not arguing HOW TO get a job, or what is needed to get a job.

Never once have I felt like I need to know how to/ been asked to set up firewall, set up access for a new employee in our AD, set up local accounts on end devices, configure a network switch, set up wifi in our offices, etc. In my opinion, if you are doing both - you’re doing the job of two people. That’s not a security career problem, but a company one. With the exception of application level firewall - but I’d say that most likely it’s a shared responsibility of the network team and the appsec team, the appsec people would drive the application level blocking o! signatures, headers replacement etc - and knowing where the gaps are ON the application level. The point is that security is shared responsibility, and to say u need to know how to set things up/having worked the IT support persona isn’t always helpful or true.

Depending on the maturity of the company, I have either 1. Not care about anything else but the code/design/app/resource configurations in aws/azure to the lesser mature 2. More holistic view of appsec all app entry point (CICD/WAF/runtime/egress etc), ISMS, SDLC etc. Even when I was at a 3 man shop, we had a network guy that sets things up - and I was very comfortable not learning those things and only focusing on appsec.

But still i do not need to know how our wifi is setup at the office, how our printers are connected to the wifi and network, and how to setup/maintain our AD, and how to provision access for a new user is our AD. I certainly do not need to know the cli to close a port in our switch 💀I know we have gaps there - and yes we are probably vulnerable. But it’s not my battle - and I can’t spend time on investigating every possible gap I see. These risks should be raised and owned by the network/IT people. Whether they are doing their job is a different question.

The biggest thing is understanding risks - for every security professional. Example - I don’t need to know how to disable local admin/how to set AD up for our env to know what risks it has; and how to communicate that to business exec. I should know how AD works in principle, what is it etc, and know enough to know how to read a pentest report on our AD (and what questions to ask the pentesters and write the scoping doc) and calibrate the risks to our env/business requirements, but I don’t need to know how to setup AD. And I’m comfortable in telling my manager that no I don’t feel comfortable doing the pentest myself because that’s not my specialty.

If you do not know enough to know how to calibrate risks and to know if the pentest report actually has good coverage - then it becomes an issue. BUT you do not need to know how to set things up to know that. This applies to a lot of things.

For appsec, I need to know how to setup our CICD to secure it yes. But it’s a domain knowledge. If your security domain does not require you to know how to set AD, switch, routers up, don’t feel the pressure to learn it. But do know enough to know what they do - think Network+ compTIA knowledge.

Even when I worked at AWS, I knew how to talk to our devs about whatever resources they choose to use in the design and ask the right questions and come up with controls - but I didn’t know how to set up a VM etc in aws.

This whole narrative is especially true with the increased cloud adoption and usage. I’d rather you learn cloud instead of how to do a cat 5e Ethernet cable 💀.

The only exception I can think of is forensics and incident response - they need to be familiar with the cli etc and time precision. But for the other security disciplines - I really don’t think this “help desk first and IT exp first” matters that much. I don’t know about network security, so I can’t speak to that. But i don’t need to know how to setup routers and switches and VLANs to know and ask 1. Can this service reach this? 2. Also in cloud, a lot of this is abstracted to cloud concepts. 3. For on prem networks, this again is a domain responsibility that should be owned by the network team, so I (as an appsec person) don’t and have never felt the need to know the technical details on implementation.

So yea, if u want to insist on the narritive that one needs IT exp or having worked help desk - pls accompany it with the type of job u are talking about within security.

My eyes are -4.25 and -5.5 and I’m thinking of taking some surfing lessons. I’ve never surfed before, so it’d be like beginner lessons.

I do not want to wear contacts for infection reasons, and I don’t have time to buy those glasses (trip is in two days).

Can I reasonably take lessons with my eyes if I go in blind?

We have GitHub advanced security for code scanning and snyk for SCA, and defender for cloud for our deployments on azure.

we just have so much vulnerabilities that we don’t know how to prioritize them. Even after filtering based on reachability (it’s not that great tbh sometimes an import statement and it’s “reachable”) and KEV etc from snyk, it’s still just so much vulnerabilities that we don’t know what to do with them besides the “this application is the most important”. And even then, I still have to triage one by one to see that the code isn’t calling the vuln function etc. We can’t do this at scale for 100+ repos. And I can’t tell my devs to just fix these 20 sca findings - I’d lose them.

We are using distroless base images (some apps are, some aren’t) - we still need to check it one by one.

Is it possible to correlate code/sca findings to what’s actually deployed with defender for cloud (azure)? To help us prioritize?

Or am I missing something that we could do?