So, as much as you may not like it, there are plenty of folks out there who understand that software security is a design and architecture issue – not a process of slapping band-aids on bad code until it’s, well, bad code covered with band-aids. What you’ll find is that engineers who understand engineering discipline find bug-hunting to be an utterly boring process; well-designed and implemented systems don’t need “pen testers” – they cross-check themselves. The only reason the industry is in the horrible condition it’s in today is because the vast majority of code that’s been fielded to date is crap. That will have to change. And when it does, “pen testers” will become peons in the quality assurance department.
I would say that most pentesters are failed security analysts who do not understand engineering discipline and have chosen to engage in the war of band-aids instead of learning how to build correct systems. And then there are the pentesters who really are cybertrespassers at heart, who have found a financial and moral justification for doing something for money that they’d otherwise do anyhow, for free, in the wee hours of the night.
Put differently: either way you slice it, pentesters aren’t worth a bucket of warm spit as far as I am concerned.
There would be so many things to say, that keeping my mouth shut is maybe the best thing to do.
I’ve always felt part of the “quality assurance department” when I was asked to prod things that had or were being deployed, just to be sure that another pair of eyes would spot more security problems; never felt like a peon though. Damned self-esteem.
It looks like Marcus is not taking into consideration that even deploying perfectly secure “software units” there always can be unexpected/funny/dangerous problems glueing them all together.