Re: Security experts in Mauritius

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Mon, 02 Nov 2015 00:11:32 -0800

Hello,
At 16:41 01-11-2015, Stephen Naicken wrote:
>Gurus, experts or those that know the intricacies of an entire stack
>or an entire domain such as security are a rare breed. So rare that
>I personally have never met one, neither amongst the academics that
>I have met who I think have made significant contributions to
>computer science, nor the developers I have worked alongside. Of
>course, my sample population may not be representative, and in any
>case they would be too modest to declare themselves an expert. For
>me, today's world is too complex for there to be oracles.

I don't recall meeting anyone who knows the intricacies of an entire
stack. There are very few people who come close to knowing an entire
domain such as security. As mentioned above, the world is to
complex; can one person to cover a wide range of subjects?

>In the context of networking, I know networking researchers who have
>great expertise of application-layer networking research concepts,
>but significantly less or barely any of the physical layer. In all
>honesty, I'd be extremely concerned about their mental health if
>they did - the sum of knowledge across the layers is simply too much
>for any one individual to master. However, they do have the skills
>to refer to sources of information about those lower layers and make use of it.

I know a few people who have expertise in application-layer
concepts. It's nice to see the sum of knowledge mentioned in the above. :-)

>In the context of security, who is the security guru? The
>theoretical computer scientist that designs a cryptographic system
>and presents its theoretical proof to show its underlying problem is
>hard under an adversarial model? Or the implementors of that
>cryptographic system? Or is it those that discover vulnerabilities
>in the implementation and its uses. I don't believe one individual
>can accomplish all of these roles well, yet all are important.

You need the theoretical computer scientist to validate the
theoretical proof. You need the implementor of the cryptographic
system. In an adversarial model, a different individual will
discover the vulnerabilities of the implementation once it is used on
the internet.

>Now, lets tie this into the context. How much knowledge should a
>software developer have of usability, security, networking and other
>areas? And when does he become an expert in his area of
>development, what level of depth of knowledge is required? It is not
>science, but simply a matter of opinion.

I suggest reading about each of the topics mentioned above to
understand the depth of knowledge required to become an expert in
each of them.

>I wouldn't expect a website developer to engage in a discussion
>about average-case hardness or Montgomery and Weierstrass curves. I
>wouldn't even expect him to know all of the details of OpenSSL,
>Apache, and so on. I would be happy in some cases to overlook gaps
>in required knowledge, if he or she demonstrates the ability to
>learn and adapt to changing environments and circumstances. After
>all, what do you with the Apache guru when you switch to another web
>server, or the Java developer when you switch to some other
>language? If he or she can't adapt, you fire him.

I would not discuss about "curves" with a web site developer. I
don't expect a web site developer to know the details of OpenSSL. I
would expect a web site developer to know the basics of Apache. Why
would a company hire someone with Apache expertise to keep an average
web site running? The ability to adapt does not turn a person into
an expert. However, it may be useful to that person if he/she does
not want to be fired.

Regards,
S. Moonesamy
Received on Mon Nov 02 2015 - 08:12:08 PST