.

The future of the security industry

<<

madeyes

User avatar

Newbie
Newbie

Posts: 2

Joined: Tue Oct 26, 2010 2:31 pm

Post Fri Aug 09, 2013 2:58 am

The future of the security industry

Hello,
I apologise in advance if this post seems rather negative. I just wanted some opinions on this from people in the industry.
I find computer security very interesting mainly because I enjoy finding out how things work internally. At times I have considered a career in this area (I am currently a software developer), but I wonder about it's future.
Our goal in this industry should be to make software more secure, but if we achieve that goal will we have jobs any longer? Even now I find a lot of the security books focus on things like buffer overflows which are difficult to find in the wild now and sometimes cannot be exploited due to operating systems protection. So I think is there much point in learning about these kind of attacks? I find them interesting technically but how often will they be seen in the wild in the future?
I also find some of the articles on phrack like this interesting:
http://www.phrack.com/issues.html?issue ... 13#article
and I would be interested in opinions on this from "the other side", i.e. security professionals.
That article (and others on phrack) are quite negative about security professionals, but I haven't seen any counter arguments.
I don't mean to put down the security industry, I am just after people's opinions.
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Fri Aug 09, 2013 3:33 am

Re: The future of the security industry

Back in the day - we had MSDOS - which was easy to bypass security on. As technology allowed us to do new things (The internet) we had websites (with badly configured webservers). As webservers got better, we got web programming languages (which allowed command injection), and then large websites with databases behind them (which allowed SQL injection).

Rolling forward, we all got smartphones (which are still an important attack vector), and quite recently we've started rolling out Utility Smart Meters (which have a load of holes).

My point is that there is always going to be new technology, and with new technology - inovation and cost always come first - security comes second.

A security professional is the same as a cutting-edge developer or a Systems-Admin - you always have to keep with the latest technology and how to use it.

So maybe Operating System exploitation might be dead - but there is always going to be the 'next big thing' around the corner that's going to have flaws in it, and when that happens you have to learn how it works, and how to break it. That's why the security profession isn't going to die.
<<

madeyes

User avatar

Newbie
Newbie

Posts: 2

Joined: Tue Oct 26, 2010 2:31 pm

Post Fri Aug 09, 2013 1:01 pm

Re: The future of the security industry

I see your point about new Technology bringing new security flaws, and that's true, but you'd hope that security would improve as mistakes from the past are learnt from. Do people join the security industry because they want to improve security in general or just because they enjoy legally hacking?
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Sat Aug 10, 2013 1:22 pm

Re: The future of the security industry

Security professionals will never be obsolete. As noted, new technology brings new flaws. In the 90s the most popular class of bugs were buffer overflows. Now that web applications are popular, we have to worry more about SQL injection, cross site scripting and other problems more pertinent to the web.

In cryptography, the work from a decade or two ago focused on designing good algorithms (e.g. AES). Now, we have good algorithms but implementations are flawed (CRIME, BEAST, CBC padding oracles, bad RNG, etc).

Not every security professional even does penetration testing. That's just one specialty. Other professionals do application security, forensics, incident response, risk assessment, auditing, policy work, cryptography, network security, etc.

I think people join the field for a lot of different reasons. It's challenging, it changes constantly, you can work to keep the bad guys out or find them when they get in and you can hack legally.

We definitely learn from the past and improve what we do. Security is a much deeper and broader field than it was 20 years ago. Unfortunately, one of the constant challenges is communicating with the non-security crowd. We understand SQL injection but application developers still write vulnerable apps. We know that the best password hashes available are bcrypt, scrypt and PBKDF2 but developers still use MD5.

If you enjoy security, stick with it. The field isn't going away.
<<

josephTaito

User avatar

Newbie
Newbie

Posts: 9

Joined: Wed Aug 21, 2013 2:29 am

Post Wed Aug 28, 2013 4:22 am

Re: The future of the security industry

IT security is education. Knowledge is power! Without security the world is not
complete.Without law any country or world over is not save.Security will continue to grow.

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software