So in line with being a full time infosec professional now, as I've worked my way around the Purism community, and started putting together a dev environment, I noticed a few concerning things. Now a couple of years ago I probably wouldn't have noticed anything, despite being considered a DevSecOps engineer/architect. I must say the change in perspective has been dramatic, it really makes me question if DevSecOps is really even a thing. Can you really be an engineer trying to find solutions and also recognize all the security implications?

The way we look at it at my day job is like this. The engineers and architects are focused on finding solutions and building things. We teach them as much as we can about security, but it's not really their job to look for security flaws and think about what could go wrong. To build good solutions requires dedication to problem solving, computer language and infrastructure features. Likewise security, especially application security, requires dedication to breaking things, abusing functionality and being professionally paranoid. I'm beginning to think more and more that you just can't do both well at the same time. I still think teaching DevOps and engineering folks security is important, but I really don't think it is enough to have DevSecOps as the only security people on an engineering team.

Noticing some things has kicked off me helping Purism as a 3rd party. This is a good place to be when assessing security issues, I don't know much about their infrastructure yet so I can come in and look at it in a very objective manner. Hopefully I can help them harden things, it's actually not bad from what I see right now, but it could be better.