Why AppSec fails | Tales about Software Engineering
Let me tell you a story about Application Security (AppSec). It contains heroes and villains, and I’m not necessarily thinking about the defenders and attackers here. It contains lots of interesting technology that is often overemphasised. We’ve got whole industries that work on letting us know how scary it is out there, vulnerabilities that are marketed like rock stars and terminology that makes you quiver in your boots: who would want to fall victim to an Advanced Persistent Threat (APT)? There are red and blue teams and that make me think of the Matrix. But what’s behind the jargon?
I’ve been working in AppSec for a while now, and got into it more or less by accident. Rather than regurgitating the Wikipedia definition, I’m going to try to explain it in my own terms. And as such will try not to overwhelm you with jargon (although a passing familiarity of software development is assumed).
An SEP is something we can’t see, or don’t see, or our brain doesn’t let us see, because we think that it’s somebody else’s problem. That’s what SEP means. Somebody Else’s Problem. The brain just edits it out, it’s like a blind spot.
