Security, the infinite game, and the pit of despair
Welcome to application security. Once you get started, you can't help but see the problems with software all around you.
So, how do you avoid the pit of despair, burnout, and overwhelm?
What sausages and application security have in common
I can distinctly remember the moment from my childhood when someone told me what was inside the sausage I was eating. I remember the glee on their face when they described the likely ingredients and their delight at my natural recoil.
When I started to transition from working as a software developer into a more application security-focused role, the revelation and the recoil were very similar.
As a junior engineer, I wore rose-tinted glasses. I believed that the code I was working on was built by brilliant engineers from trustworthy components and that with enough effort and learning, all software (even that which I wrote) would be an amazing thing.
I found it hard to stomach that despite the best efforts of everyone on my team, including me, the software could still be insecure — and that almost all software is a mix of various code qualities.
Software security flaws: once you see them, you can’t unsee them
As soon as I knew the humble sausage was something to be wary of, I could never see them in the same way again. And sure enough, the same thing started happening with application code.
Once you learn how to see the flaws in software — whether from a design or code perspective — you start to see the same patterns everywhere. Maybe it’s a system you’re working on or an application you’re using as part of your day-to-day life that you first see through your new, wiser eyes — either way, it can soon start to feel like you’re surrounded by insecurity.
At first, this can be exhilarating.
You start to find bugs and report them. Your list of issues to address grows, and you find great pleasure in your pursuit of security and quality code.
But over time, this shine begins to fade. Maybe you notice that the number of bugs you find is much higher than the number of issues you can fix. Sometimes this is due to a lack of ability or solution, and sometimes this is due to a lack of support or permission. After all, your team has deadlines and things to achieve, and refactoring or reworking old code is rarely helpful when time is tight.
Welcome to the pit of despair
I know, I know — it’s a bit dramatic, but that’s really how this stage can feel. And I suspect if you’ve been here, you’re nodding along.
In other parts of the business world, they call this “the chasm”. Specifically, it’s the point at which you realize how big the issue is and how much work you need to do to succeed. It can feel overwhelming and unachievable.
I’ve learned that succeeding in application security comes down to how you respond to standing at the edge of this pit.
Do you run away and go find something easier to do?
Or do you dive in?
This is the point where many people change roles or sometimes even change organizations. Faced with an unsolvable problem, they walk away rather than burn themselves out.
And it’s understandable to put yourself first — but there’s another way.
Eat the appsec elephant in chunks
Everyone in security knows that we stand on the edge of the pit of despair.
There will always be more to do than we have time for. There will always be compromises and issues left unfixed. It is, in the words of Simon Sinek, an infinite game. It has no endpoint, and there is no winner.
To survive the pit of despair, we need to understand that the aim is not to cross it. It’s to make it feel less oppressive.
Security isn’t something that we can solve or complete. It’s a process. It’s hundreds of tiny activities that need to happen over and over again for as long as we build and maintain systems.
Rather than focusing on the mountain ahead of you and the great pit beyond, focus on making each security step you take count. Help others around you to join the journey. Celebrate each small milestone and look at your progress over time.
Every appsec program happens one step at a time
This is one of those rare cases where it's really not about the destination. It's about the sum of your achievements so far and the lessons you’ve learned on the way.
So, if you’re embracing application security and have reached the edge of your own pit of despair, take a deep breath.
Remember that you can take one security step at a time. And before you know it, the pit will be a distant memory as you look back and see how far you’ve come.