Full disclosure. I work for a company that makes security test and performance bench-marking equipment. Prior to taking this job I was a steadfast believer in what we do in the security space. Designing and delivering good security was what got me out of bed in the morning, I loved it. Everything about it. I found the constant, evolutionary nature of security, challenging and intoxicating. I honestly believed that I could design and deliver good security given appropriate time and resources. It was a good feeling.
That confidence is shaken.
Since taking this job, I've used my experience with many of the platforms I used previously and the access I now have to tools that test and validate those solutions, and the results have been disturbing.
UGH.
I've found mainstream security solutions that secretly identify test traffic and accelerate it to get a better performance test result. (think VW emissions scandal.)
I've found mainstream solutions that claim to decode and inspect SSL, but actually bypass certain (common) ciphers and conditions to improve performance.
I've found solutions that secretly unload security completely to improve customer QOE and performance.
I've found IPS protections that filter very late in callflow after malcode has transferred or claim to fire and actually do not work at all (often tied to a marketing message about how good the manufacturer is at deploying quick response security).
and on, and on and on.
I've quietly watched some of the acronym based (so called) security test houses, but I honestly think they're more interested in making money than delivering a quality test result. One solution I know has issues was recently given the highest rating in a test directly related to issues I've identified.
Can anything be believed? Is anyone else seeing this?
So, like many security pros you came to the field with the intent of making a difference, doing the right thing, fighting the good fight - all the right reasons. I applaud your reason in joining the security field for all the right reasons.
Now seeing how business side of security tarnish those very good and lofty reasons for becoming a security practitioner leave you feeling a "bright green glow of being jaded." Yeah that's easy to understand and many of us have been there but your not always dealing with security people but with security business people. Latter being more interested in your labor than your outcomes and are often in conflict. That's normal unto itself when SME's collide with business, no matter the field. You are certainly not alone there!
How do you get to that happier place where that color of jade becomes a sunnier, happier, say yellow? To stay with your existing organization means accepting your boss' only outcome he/she is going to be interested in will come from accounts receivable and not the betterment of the organization or the clients served. Learn to live with the business constraint that it is what it is and leave it at that. You decide that doing the right thing by your clients is first and foremost.
You may decide that this particular environment isn't all that satisfying and move on to an organization better culturally suited to your desires. For good or bad most people quit bosses not positions unless they are changing careers, moving a geographic distance, etc.
Finally, you are indicating that you feel a great deal of appreciation for detecting new security opportunities that do make a difference for either your organization or clients. Perhaps some of these truly novel approaches could be incorporated into a presentation or whitepaper worthy of being shared with others. Nothing like presenting to ones peers, for good or bad, to gain some external exposure and helping others. Giving back to community to fulfill the reason for going into the first place.
From experience I have done all three options but always experienced career growth along the way.
Great points. I would say that of course they are primarily focused on making money. If they weren't, they would be out of business and not helping at all. We have to acknowledge that with everything. If not, we are not going to see the good for the bad. I've known that without really realizing it was intentional. Simply put, I've seen flaws in rule sets before but didn't really realize it was for speed and/or sales. We've always just filled in the gaps with writing rules that cover some of the gaps. Then "tweak" them given the amount of false positives and so on. You don't have to get frustrated, just get even. Take the tool and make it better for your needs.
It's not clear if (a) your organization is involved in the deliberate falsification of test results, or (b) your work has helped you find issues that other organizations are not finding (or ignoring). If it's the former, is there an ethics department within your organization you can contact? If it's the latter, perhaps you can report the issues you are finding a watchdog. Doesn't sound like you're enjoying your work, but you can do some good by exposing these practices.