Re: Security experts in Mauritius
> On 1 Nov 2015, at 18:27, Loganaden Velvindron <logan_at_afrinic.net> wrote:
>
> On 11/1/15 8:24 PM, Ish Sookun wrote:
>>
>> Are you implying or suggesting that web agencies should employ
>> software developers that understand the code behind Apache, Nginx,
>> Varnish, OpenSSL etc? <snip>
> If a company is developing several websites for a bunch of clients, it
> makes complete sense to hire competent people that understand the
> full-stack. If they took people who lacked experience, and their clients
> are dissatisfied, they are going to lose.
>
> Personally, I would love to have an in-house OpenSSL guru, and a Performance expert who can understand bottlenecks down to the network stack layer. So many software are implementing crypto these days, that having one specialist, would be so much less of a headache.
Gurus, experts or those that know the intricacies of an entire stack or an entire domain such as security are a rare breed. So rare that I personally have never met one, neither amongst the academics that I have met who I think have made significant contributions to computer science, nor the developers I have worked alongside. Of course, my sample population may not be representative, and in any case they would be too modest to declare themselves an expert. For me, today’s world is too complex for there to be oracles.
In the context of networking, I know networking researchers who have great expertise of application-layer networking research concepts, but significantly less or barely any of the physical layer. In all honesty, I’d be extremely concerned about their mental health if they did - the sum of knowledge across the layers is simply too much for any one individual to master. However, they do have the skills to refer to sources of information about those lower layers and make use of it.
In the context of security, who is the security guru? The theoretical computer scientist that designs a cryptographic system and presents its theoretical proof to show its underlying problem is hard under an adversarial model? Or the implementors of that cryptographic system? Or is it those that discover vulnerabilities in the implementation and its uses. I don’t believe one individual can accomplish all of these roles well, yet all are important.
Now, lets tie this into the context. How much knowledge should a software developer have of usability, security, networking and other areas? And when does he become an expert in his area of development, what level of depth of knowledge is required? It is not science, but simply a matter of opinion.
I wouldn’t expect a website developer to engage in a discussion about average-case hardness or Montgomery and Weierstrass curves. I wouldn’t even expect him to know all of the details of OpenSSL, Apache, and so on. I would be happy in some cases to overlook gaps in required knowledge, if he or she demonstrates the ability to learn and adapt to changing environments and circumstances. After all, what do you with the Apache guru when you switch to another web server, or the Java developer when you switch to some other language? If he or she can’t adapt, you fire him.
So given all that, are you going to find developers who have a thorough understanding of the full stack? From my experience, probably not, but it’s not important if they have the ability to learn, adapt and ask the question ‘Why?’.
Regards,
Dr. Stephen Naicken
Received on Mon Nov 02 2015 - 00:41:32 PST
This archive was generated by hypermail 2.3.0
: Mon Nov 02 2015 - 00:45:01 PST