
Learning new skills in InfoSec without getting overwhelmed - ingve
https://azeria-labs.com/paradox-of-choice/
======
debatem1
Security is about doubting what you're told, productively. Anyone who tells
you otherwise should be doubted-- productively.

If you build security tools, verify that they actually work. If you write
exploits, doubt every correctness claim until proven. If you make policy,
assume ill intent until proven otherwise. These are the iron rules.

Knowing where to look or to care comes with experience. In the meantime, ask
questions.

~~~
lobotryas
> assume ill intent until proven otherwise

What does this even mean? This sounds more like being a roadblock to everyone
else because you can say “but what about the security” and everyone has to
dance to your tune.

~~~
jodrellblank
Assume the user's search term or form data is going to contain SQL injection
attempts. Design to handle that.

Assume the person calling up to reset a password is trying to access someone
else's account, so make them prove their identity before resetting a password.

Assume employees will go poking around internal fileshares where they
shouldn't have access, and design ACLs to keep them out.

 _and everyone has to dance to your tune._

Good. Developers who don't dance to that tune are responsible for headline
after headline after headline of valuable user data being accessed, stolen, or
leaked, and should risk having their professional software development
licenses revoked and companies being fined by watchdogs.

~~~
thrower123
This sort of thing is exhausting if you have to keep it up unsupported. Being
the negative nancy that keeps pointing out the holes in other peoples' grand
plans earns you no kudos.

~~~
pixl97
Depends who you are leaking the holes to. Negative Nancy probably makes a
living selling said flaws to foriegn governments these days because no one
will listen to them.

~~~
debatem1
A team I used to work with closely had a process where if a development team
didn't think an issue was important enough to fix and release the security
team was encouraged to find other buyers for the vuln. It was actually a
pretty great way to both keep people on the same page and keep your security
folks tethered to reality.

------
solipsism
This article isn't about infosec at all. Instead it gives some general advice
for avoiding analysis paralysis and choosing from among many options.

------
zcw100
Yes, you’re a pretty little snowflake. Unique among the wold. No other
profession or field has to suffer the hardships you have to suffer. Get over
yourself. Everyone has has this problem. Many people don’t even have a name
for what they do. You have conferences, educational curricula including at the
university level, professional organizations, etc

