Home > Information Security > Does Offensive Security Really Exist?

Does Offensive Security Really Exist?

November 15th, 2011

And NO, I am not talking about the great folks at Offensive Security. I KNOW they exist. šŸ™‚

I had some great commentary and discussion on my last post, “Doom, Gloom, and Infosec“. Jericho rightly pointed out the ever-popular Charlatans page at Attrition. This could definitely lead some to feel a little despondent or at least irritated in this field. Asshats have a way of doing this. Wendy at 451 had some interesting thoughts, too, as did a few other sites and folks. My friends at the Infosec Daily Podcast, Rick and crew, had a discussion about the post that really got me thinking, though.

In my post, I list some general ideas of reasons why infosec might suck. These were totally off the top of my head, based on a lot of conversations I’ve had in the last few years with people in all walks of the industry (consultants, company and end user practitioners, CISOs, trainers, you name it). The ISD crew talked about them, and made an interesting statement – “asĀ offensiveĀ folks, many of these don’t apply to me|us”. The premise being that folks playing DEFENSE (responders, intrusion analysts, firewall folks, etc) have a worse time of it. This is likely true. But the point that stuck with me was the concept of “offensive infosec” roles. The assumption, of course, is that this means vulnerability assessment teams, red teams, pen testers, and so on. And I get what they are saying. However, I want to refute the concept of “offensive” vs. “defensive” security staff. I don’t think that’s realistic. Reason? Offense really exists for one reason only – to inform defense. In my mind, this really means we’re ALL defense. We just accomplish our defensive strategy and tactics in different ways.

I am a pen tester and someone who enjoys “breaking” as well as “fixing”. Would “breaking” fit into a security philosophy if not for the perceived benefits to “fixing”, though? I’m not trying to blow this all out of context, I know exactly what the ISD dudes meant, but it just got me thinking – when we classify ourselves that way, we may in fact be doing ourselves a disservice as a whole. Interested in your thoughts.

Categories: Information Security Tags:
Comments are closed.