Had my third phone interview with a company yesterday for a Full Stack Developer role. Never thought my security experience and CISSP would be a detriment to getting hired. The interviewer noticed my CISSP and security experience on my resume and asked me if I was willing to put security aside in the name of building and deploying fast to production. The person I was talking with was one of the CIOs and heading up the new project. I explained that perhaps adding in security from the beginning would save time in the long run and not expose them to possible breaches and rework. Nope, they were going to bolt on security afterward. Got the rejection two hours later.
I honestly wish them luck because they are going to need it. Lots of it.
Interesting such a question came up. However one thing to consider in the future might be to have a well documented Limited Liability or Indemnity Agreement where for instance you can code to their hearts content but should anything happen because of their rush to production there is no legal recourse on their part. Even if you would have dropped this bombshell my guess is they probably would have been dazed and confused and would have probably not have moved things further.
Sounds like the interviewer never heard of SecDevOps. A DevOps approach focusing on IaC and SaC, has a good potential to improve overall security posture and respond to vulnerabilities quickly. So it's simply not a case of speed or security, but speed with security.
I thought it was DevSecOps?? 🙂
Then you have some DevOps wags who say security is already in it, so you don't need to talk about 'SecDevOps' or 'DevSecOps' as separate things...
I do have to wonder about the level of knowledge of some of the infosec 'leaders' I've met with on interviews. I dealt with one CISO when interviewing for an infosec analyst role that would have deal heavily with third party risk management who, surprisingly to me, didn't seem to understand the different SOC reports (1,2,3, etc) nor had ever heard of Shared Assessments' SIG Report. Sigh. (oh, and they decided to reject me for 'better candidates'... yeah, right).
Your post is very informative. However, I do not wish anyone luck that wants to bolt on security later and that trashes a good person like yourself, just for wanting to do what basic due care requires. I wish you an even better opportunity later since I applaud your honesty and integrity. We need strong laws at the international, national, state and local levels of government that make it a civil and criminal offense to do that kind of software engineering. How is it that a totally irresponsible engineering approach is accepted? If any avionics, automotive, or other traditional industry took that kind of approach to any other discipline other than information technology, they would get sued to the point of bankruptcy.
I want to see liability lawyers start suing information technology firms like they do the medical industry, world-wide, so there is nowhere to hide, so as to stop all this nonsense. The likely failure that will ensue in the situation you describe will be the burden of disaster placed on the unfortunate consumer of their miscreant product. I hope that the GDPR regulators get wind of this and watch them like a hawk and when their irresponsible plan backfires that they get fined and sued out of existence. Where is the Ralph Nader we need for the software industry?
Due care and due diligence is mandatory for all other professions except for application developers and hosting organizations of all these deformed applications. It is time now for this lax state of affairs for software engineering to stop.
We need a Ralph Nader type crusader for the software industry. It is ridiculous that in the 21st Century that the software engineering based industries and information technology firms still operate with the buyer beware approach of the 19th century.