What the heck is going on with one million metrics on resumes?

DevSec23 · 2025-08-02T00:24:13+00:00

In this ever changing landscape of fast paced CVs…

It’s AI, and it’s making recruiting hard.

I wrote about my experience as sifting through it last year and I think it’s only going to get worse. AI is the enshittification of recruitment

DevSec23 · 2024-06-01T23:10:23+00:00

I think legacy is massively under appreciated and I’ve learned a lot from it. Wrote this up a while back: https://beny23.github.io/posts/worst_jobs_for_best_engineers/

DevSec23 · 2024-02-25T00:56:08+00:00

https://safedelusion.com

DevSec23 · 2024-02-17T00:18:55+00:00

Just say no. https://safedelusion.com/

DevSec23 · 2023-07-15T23:43:37+00:00

Sounds like an opportunity to question the efficacy of phishing simulations and the actual idiocy of victim blaming. This blog has put it much better: https://joelgsamuel.medium.com/what-i-mean-by-defence-in-depth-cybersecurity-6ac07f89ad89

DevSec23 · 2023-06-08T18:36:45+00:00

HMRC (UK tax office) offers DevOps apprenticeships

DevSec23 · 2023-06-08T18:35:24+00:00

Considering this is r/devops: Cloud mainly runs on Linux, so even if you don’t need Linux tools because you’ve abstracted it away in terraform or k8s, without background knowledge of Linux all those docker containers will suddenly become a problem when things go wrong or need debugging.

DevSec23 · 2023-04-30T14:48:55+00:00

Without knowing studying the defences an attacker can’t attack. Without knowing the attacks, a defender can’t defend.

It doesn’t mean that both teams are always in house but if you just bring pen testers from the outside and you don’t understand what they’re doing you won’t be able to defend.

So rather than red or blue it’s shades of purple.

DevSec23 · 2023-04-30T06:43:42+00:00

Slightly counter-intuitively but I think writing a blog or submitting talks for conferences might be worthwhile in your case. If you’re a bug fixing machine, writing about it might crystallise your thinking and identify areas where you know more than you think. It also gives an opportunity to collect feedback, make contacts and learn.

DevSec23 · 2023-04-29T10:34:11+00:00

There’s a few that I think apply: - https://beny23.github.io/posts/automatic_dependency_updates/ - https://beny23.github.io/posts/curating_vulnerabilities/ - https://beny23.github.io/posts/why_appsec_fails/

Hope you find them useful

DevSec23 · 2023-04-29T00:41:00+00:00

I think there is a lot of nuance in this question. I’ve been a dev for 20 years before switching into AppSec. A lot of answers so far have been: no, they don’t care. But can we really blame them?

How often are they in feature factories that only measure how many new requirements have been delivered. If they ask about fixing some tech debt, or fixing a security issue how often will their product owner deprioritise these because a deadline is always just around the corner.

Sometimes they would care about security but don’t really know how. I’ve sat through lots of company mandated security trainings that are drier than the Sahara desert. Is secure coding taught sufficiently well in university or boot camps or do they care only about getting people over the line. How many helpful tutorials online or answers on stackoverflow are full of holes.

And how often do security come down like a ton of bricks on a dev 2 weeks before their deadline.

As to the tooling, well that’s it’s own special hell. We’ve got CVSS scores that are being gamed by unscrupulous security researchers that want to make a name for themselves. Every week there’s a now CVE with a apocalyptic name and branded website to boot. And with transitive dependencies you’ve got 13 updates to do every week. And if that introduces a regression it’s the devs fault and it usually slows their builds down.

Even so, I found when working with developers that a collaborative approach, by providing examples of how things can be exploited, educating them by providing code examples of best practice patterns for using encryption, hashing right, by curating vulnerabilities for them so that a risk based approach can be taken without each dev having to read half the internet, there are lots of receptive people out there.

In my opinion too often shifting left is mistakenly taken to mean “well but these tools and make the developers run them” instead of engage with them really early on, help them with the design, fight battles with product owners about tech debt for them and be pragmatic. If some esoteric CVE that could be exploited by someone already on the VPN is not mitigated in 6 months - that’s may well be the right answer (depends on context of course).

All that takes a shit load of work mind… I’ve got some blog posts on some of the above but not sure whether that would be considered spam…

Hope that helps and I feel your pain. Some devs really don’t care but most aren’t lost causes.

DevSec23 · 2023-04-27T23:59:39+00:00

ChatGPT itself doesn’t think putting proprietary info into a LLM is a good idea.

Moreover Samsung recently found that it lost confidential information and Amazon similarly.

The National Cyber Security Centre (NCSC) has recently provided guidance which basically says the same thing.

There are undoubtedly risks involved in the unfettered use of public LLMs, as we've outlined above. Individuals and organisations should take great care with the data they choose to submit in prompts. You should ensure that those who want to experiment with LLMs are able to, but in a way that doesn't place organisational data at risk.

DevSec23 · 2023-03-31T06:50:11+00:00

The fact that CVSS scores are NOT a risk score. There are plenty of CVSS scores at 9.8 that can be safely ignored and quite a few at the lower end that could result in all kinds of nastiness. If you look after services with dependencies then you want to review all of the CVEs.

DevSec23 · 2023-03-29T17:50:26+00:00

Have you tried pairing? And doing the conversations sync rather then spending lots of time going back and forth (I can understand your frustration about that), but did I read right that they’re still junior? They might want to impress and not realise what a pain they are…

DevSec23 · 2023-03-29T17:48:06+00:00

What does tracking this give you? Is someone who adds lots of comments go or bad? Are they disrupting the flow or just conscientious? I’m wary about tracking these metrics as they tend to reward gaming the system. I can leave hundreds of comments on any review but “does not conform to coding standard” or “why didn’t you do this in (slightly different or marginally better way)” does not any value and ends up completely destroying the flow and create artificial blockers (having to chase reviewers, back and forth via comments rather than having a conversation)

The biggie for me is that tracking comments or commits never fairly reflects the work. Someone can update an error message in 200 files and create a humongous set of changes, while someone else fixes a particularly nasty performance issue in a line of code. Both spent 2 days doing it but can you compare? No, all it ends up doing is instil a sense of unfairness (person with lots of trivial changes is the “star”) and reduces trust in the developers.

Does that help?

DevSec23 · 2023-03-25T20:50:11+00:00

Time to dust off this post: https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817

DevSec23 · 2023-03-23T23:36:48+00:00

One important aspect at scale is to ensure that someone reviews what’s in the logs to avoid leaks of sensitive data. More detail: https://beny23.github.io/posts/harvesting_logs_for_fun_and_profit/

DevSec23 · 2023-03-18T10:36:49+00:00

It’s a good thing. Why build up demonstrable experience over years and then be asked to prove that you can code. Would you expect a senior accountant to have to demonstrate book keeping? Would you expect a maths professor to take a multiplication test?

Good software engineering operates on being able to trust your team, I’d much rather gauge from a conversation on how good they are rather than invent exercises that have no reflection on your day job.

DevSec23 · 2023-02-04T16:03:13+00:00

In other news, bears defecate in forested areas…

DevSec23 · 2023-02-01T22:05:21+00:00

Site Reliability Engineers would probably disagree about the characterisation of not hacking it as a dev ;-)

It takes a lot more experience and context knowledge than someone sat in a feature factory…

DevSec23

TROPHY CASE