Hello ISC2 community!
I am recently catching up on my CPEs and I love the webinars. I was looking for the magazine and upset to find out it was gone. However, I picked up the webinars and they are fantastic! They continue to get better with the dicussions, the diversity of the guests, and the overall quality. Brandon is a fantastic moderator and he keeps the discussions moving along at a nice pace. Think Tanks are certainly my favorite.
One issue I have noticed when watching Security Briefings is that many of the speakers like to say, "Devs are like this, they do that. They should do this because they don't do this." And so on. I have found a lot of this material very misleading.
I am a Software Engineer with 5 years of experience, a CISSP, and CCSP. Yes, a rare creature. I have even lost a potential job because the employer couldnt figure out if I was dev or security, haha. My employment prior to becoming a dev is actually IT management and Information Security. I am Full-Stack and I specialize in automation and DevSecOps.
It pains me to hear many of the guests making some comments about devs when I believe the material is misleading, harmful to DevSecOps culture, and is being stated on a worldwide platform. I think to myself, how many other ISC2 members are watching this and either agreeing or learning that mindset?
I want some Ops and Devs in on the Think Tanks and Security Briefing. I want exposure of actual Software Engineers and Network Engineers to the ISC2 community. I think it is insanely beneficial.
From the dev side:
Ansible/Terriform, infrastructure-as-code, policy-as-code, CI/CD pipline with security built-in, quality gates, tools like Sonar, add-ons to IDEs for security, metrics gathering and logging, DevSecOps culture, 3rd party dependency management and scanning, dev processes, how has AI affected the field, secure deployment process and how they have changed with cloud technologies, docker and containerization and how that has affected everything. And that is from my 5 years. I can't imagine what Architects and Lead Engineers at some companies would bring to the conversations.
I think these are things that the ISC2 community cares about, wants to know more about, and needs to know more about. I want to see that relationship grow between Dev, Sec, and Ops; instead of the "throw it over the fence" attitude that some of the guests often bring. "I learned early in my career never to underestimate the creativity of a group of a developers." -Brandon. Harness that power! Build the relationships and take advantage of the strengths of your developers while influencing them to bake-in security.
I came across a Security Briefing that is exactly what I wanted as far as a vision into to life as a software engineer and a healthy attitude of how to work together to build a great product.
The Future of AppSec: Adopting a Modern Approach for a Cloud-First World.
Jim Routh, ex-CISO of American Express, MassMutual and Aetna, and Legit Security CTO Liav Caspi; Brandon Dunlap, Moderator
Feb 23 2023
If security professionals are interested in more, I think there should be some topics that go a step farther. "Here are the crazy things devs are doing and here is a dev to explain to you the challenge and lightly go over solutions." I think watching the discussions between Sec and Dev can influence the community towards a more successful approach.
Unfortunately, the Community does not control the Think Tank or Security Briefings. Folk here can volunteer to do those sessions if they have the experience.
As to loosing out on a job, have you considered the CSSLP? It was designed specifically to assist Security folks with development.
@AndreaMoore could you funnel this one through to the appropriate department internally?
In the interim, many software vendors do webinars that may provide the content you are looking for
Here are a few links to information for developers.
I'll pass along these comments to the webinar team.
As far as the magazine changing - here is a write up we did to explain it: https://blog.isc2.org/isc2_blog/2023/02/isc2-members-at-the-center-of-cybersecurity-content-2023.htm...
Thank you both! I wasn't sure if this was the correct place for the post.
The CSSLP hasn't really proved valueable in the Sw Eng field yet. DoD vendors will often offer training and vouchers to devs, along with CISSP and Sec+, due to regulatory compliance in DoD contracting. It makes contractors more competitive and it is some more exposure. Not perfect but a nice step in the right direction. Also like the PE, it is gamed.
Luckily the CSSLP has not been completely rejected from the field, such as the FE and PE were immediately rejected. Which is amazing; something has stuck a little bit. I think the main issue is SwEng can include so much content and the strength of a dev is really based on doing, not talking. A few projects are far more valuable than a masters. A month of study for the CSSLP could be another side project and huge talking point at the next interview. It takes years of healthy culture and mentorship to grow a strong dev and most devs aren't attracted to security simply because most employers aren't interested. I learned this the hard way. Coming from a DevSecOps background, I had a lot of success but turned API and UI/UX. Employers often dont understand the value of DevSecOps and CI/CD pipelines until they have it and until you can provide metrics for it.
That specialization commonly suffers budget issues in a way that information security does as well. For a dev, what we aren't doing hurts us. There is always API and UI work to be done. The path becomes pretty clear. I have heard of DevSecOps Engineers being hired specifially for that role, but it isn't as common as we would like. I really appreciated Jim's comments in that Security Briefing about deadlines and demands from management. In a way, perhaps security in development is similar to security speaking with a board about risks and initiatives. Can we do it? Sure. Will you budget for it? "Haha, no no; I want that new shiny feature that will sell sell sell." It can be pretty miserable. At the end of the day we need to sell a product and we are the engineers to make it. So the CSSLP and other initiatives just don't get the light they deserve. There are plenty of products and tools that can be low effort and yield high value. Still if a dev finds themselves in a Scrum-terfall environment; good luck. Suffer the wrath of management, hide your DevSecOps initiatives, or accept that it won't happen.