This was originally going to be a very different post. I was going to write about how uninteresting I've come to feel security is because of how much of the vulnerability that security practitioners deal with is the same as it has been for years. I was going to write about what a toxic place the infosec community can be and how self-destructive it is for particularly revered individuals like cryptographer Matt Green to be attacking developers for not meeting their standards. I wanted to say that I felt like the kind of behavior that's so prevalent in infosec makes it impossible for me to view security as something worth contributing to, as a developer, with so much vitriol to fight against just to get a foothold.
It's been over a year now since I've adjusted my focus from the non-profit space, where I worked on privacy and censorship-evading software, to the more corporate-style security space. I've explored a lot of subject matter, took up a job at a security company, done some relatively novel work in applying capability-based security to microservice applications, and have joined excellent communities like Defcon Toronto. Despite all of what I could arguably be said to have accomplished, I felt like I hadn't really "made it" in the security space. I saw all the drama, the pettiness, the exclusivity, and thought about my own experiences at work having been told that too much time had been spent on security. I internalized all that and convinced myself or, rather, was convinced, that this couldn't be a productive path to follow. I talked to my developer friends and asked about their experiences dealing with security folk and heard exactly what I expected- they generally don't like them. They see them as lazy gatekeepers who slow things down preaching about best practices but never helping to build anything. They see security as boring- always ruminating on variations of the same theme. It's no wonder.
But, after taking a different perspective on things, it's occurred to me that it's pretty ridiculous to cut the ties I've made. It should be obvious that this is the case, but I can appreciate now that it doesn't have to matter if someone I looked up to turns out to be a self-defeating jerk. That just means that that person is not as good as I thought they were, and that they are doing us all a disservice by pushing away people who could help them and the larger community. There are other communities and better people out there doing good work, and some day the larger infosec community will have to drop the rockstar worshipping if anyone actually cares about improving technology.
I have dealt with depression in the past. It has unfortunately been a part of my life since my early teen years. It has always been hard for me to talk about it, because I don't want to accept it as a part of who I am, but also because it's a deceiptful and manipulative beast. I hope that I've managed to perservere through this period in time to prevent myself from making a mistake and pushing the friends I've made in infosec away. If, after all of this, I come out still dissatisfied with the work I've done in security, I know that I can still change my focus and do what interests me, and that the good folks I've met will still be here when I want to come back.
So, to my friends and colleagues, I'm sorry for making you worry. I'm not going anywhere. Thanks for being there.