
Ask HN: Best Options to Start Internal Security Team(s)? - MidwestEngineer
Here&#x27;s the situation; I work for a company and within the last month we got informed that the product I work on will no longer get exemptions for deviations from the security policy. So now my manager and their manager are canvasing for ideas on how to address this, with the end result of putting together a team to start ensuring strict adherence to the security policy. Management wants to start doing pen testing, code analysis, threat modeling, etc.<p>I advocated to hire an outside firm because obviously that&#x27;d be their specialty but that fell on deaf ears, because money. It&#x27;d be &quot;cheaper&quot; to do it in-house instead of out-sourcing it. I responded that sure in the short-term that&#x27;s true, but a thrown together internal team will have nowhere near the skills an outside firm does and it&#x27;ll only be cheaper until a security flaw is exploited. But alas, I don&#x27;t sign the checks so an internal team it is then.<p>I&#x27;m under no illusion that I have these skills and I&#x27;m aware that other engineers get degrees in this field, so there isn&#x27;t going to be a &quot;here you go, this is everything you need!&quot; answer. I&#x27;m mostly looking for enough information for it to be &quot;good enough&quot; (I know not the best philosophy when it comes to security, but you can only do so much right?).<p>#1 - Are there any tools that we can use to help automate some of this? I&#x27;ve used WireShark in my work to do packet traces for debugging and I&#x27;ve played around with Kali Linux awhile a go in my free time.<p>#2 - What resources would you suggest we investigate to help this internal team learn the concepts and methodologies?<p>I&#x27;m trying to get as much of a head start on this as possible, even it it amounts to hey we should check out these technologies. I want our platform to be as secure as possible for our end users.
======
consultutah
In the short term, it is better to outsource and have someone that knows what
they are doing build your security plan. They will probably suggest ongoing
consulting as well, but for cost savings it would be better to have period
(quarterly or 2x/year) reviews after you have things rolling. Long term, it
would be better to build this out internally, but outsourcing could
significantly jump start any improvements you'll see.

