Re: Security experts in Mauritius
On 11/2/15 4:41 AM, Stephen Naicken wrote:
>> On 1 Nov 2015, at 18:27, Loganaden Velvindron <logan_at_afrinic.net> wrote:
>>
>> On 11/1/15 8:24 PM, Ish Sookun wrote:
>>> Are you implying or suggesting that web agencies should employ
>>> software developers that understand the code behind Apache, Nginx,
>>> Varnish, OpenSSL etc? <snip>
>> If a company is developing several websites for a bunch of clients, it
>> makes complete sense to hire competent people that understand the
>> full-stack. If they took people who lacked experience, and their clients
>> are dissatisfied, they are going to lose.
>>
>> Personally, I would love to have an in-house OpenSSL guru, and a Performance expert who can understand bottlenecks down to the network stack layer. So many software are implementing crypto these days, that having one specialist, would be so much less of a headache.
> Gurus, experts or those that know the intricacies of an entire stack or an entire domain such as security are a rare breed. So rare that I personally have never met one, neither amongst the academics that I have met who I think have made significant contributions to computer science, nor the developers I have worked alongside. Of course, my sample population may not be representative, and in any case they would be too modest to declare themselves an expert. For me, today’s world is too complex for there to be oracles.
>
> In the context of networking, I know networking researchers who have great expertise of application-layer networking research concepts, but significantly less or barely any of the physical layer. In all honesty, I’d be extremely concerned about their mental health if they did - the sum of knowledge across the layers is simply too much for any one individual to master. However, they do have the skills to refer to sources of information about those lower layers and make use of it.
>
> In the context of security, who is the security guru? The theoretical computer scientist that designs a cryptographic system and presents its theoretical proof to show its underlying problem is hard under an adversarial model? Or the implementors of that cryptographic system? Or is it those that discover vulnerabilities in the implementation and its uses. I don’t believe one individual can accomplish all of these roles well, yet all are important.
I have met a couple of people that are able to understand the
intricacies of all of those layers, and they are mostly sane.
>
> Now, lets tie this into the context. How much knowledge should a software developer have of usability, security, networking and other areas? And when does he become an expert in his area of development, what level of depth of knowledge is required? It is not science, but simply a matter of opinion.
>
> I wouldn’t expect a website developer to engage in a discussion about average-case hardness or Montgomery and Weierstrass curves. I wouldn’t even expect him to know all of the details of OpenSSL, Apache, and so on. I would be happy in some cases to overlook gaps in required knowledge, if he or she demonstrates the ability to learn and adapt to changing environments and circumstances. After all, what do you with the Apache guru when you switch to another web server, or the Java developer when you switch to some other language? If he or she can’t adapt, you fire him.
I would expect a Mauritius Software developer or a Mauritius sysadmin to
be able to at least understand how Heartbleed works under the hood, to
better understand the implications behind the vulnerabilty for an
organization.
A quick example: A few people were quick to talk about patching for
Heartbleed in this thread. Great. However, nobody spoke (up to now)
about the need to renew certifications as private keys might have been
leaked silently before the server was patched.
> So given all that, are you going to find developers who have a thorough understanding of the full stack? From my experience, probably not, but it’s not important if they have the ability to learn, adapt and ask the question ‘Why?’.
>
> Regards,
>
> Dr. Stephen Naicken
>
Received on Fri Nov 06 2015 - 01:30:39 PST
This archive was generated by hypermail 2.3.0
: Fri Nov 06 2015 - 01:36:03 PST