Throughout most of my tenure at a security software company, I was of the opinion that despite being in a great work environment with great people, security was inherently boring. My reasoning was that in a perfect world, we’d still have video games and blogging software and Microsoft Word, but we wouldn’t need any of this security nonsense. It exists only to protect against a poorly-defined threat, not because it really does anything on its own.
So as the UI engineer, I purposely avoided learning how all this security stuff really worked. I figured that I didn’t really need to know what LDAP was to implement a checkbox labeled “use LDAP”. This was more or less true and felt pretty good right up until one of my co-workers pointed out that, “In the near future, when the market is saturated with out-of-work software developers, the ones with security expertise will still be in demand.” Shucks.
So in my new job, as the guy who used to work at a security software company, I found myself being in charge of implementing various security-related tasks in the product. Two things immediately surprised me. First, I know a lot more about security than I ever gave myself credit for. I only thought I was daydreaming during Eric’s “What is a certificate revocation list?” lecture. I was actually in partial-comprehension mode. It’s like all that fence painting finally paid off. Second, I kind of like this stuff. Like all enterprise software, the tools are lousy, the documentation is poor, and support is non-existent. But I think that when you actually apply security to a real-world problem, it suddenly becomes interesting.
…which I think goes back to why I left my old job. We were using technology to solve a problem with technology, not a real-world problem. It was security, pure and simple, not applied security. I see it as a personal flaw that I am only motivated by software that can be tied to a real-life user.