Challenges Unique to Information Security

It's interesting that Information Security has emerged as a unique field and is not a sub-field or niche area of software engineering or system administration. Considering that "regular" bugs and "security" bugs both require development to fix, and misconfigurations can be set straight by sysadmins.

There are a few specific properties of security that make it stand out in a regular software development cycle. Firstly, security involves malicious and intelligent actors. The whole notion of security exists because these bad actors may try to do something that we would rather them not do. Notably, they are finding and exploiting flaws to gain advantages they are not entitled to.

The problem of dealing with an intelligent opponent requires a different approach, discipline, and mindset compared to facing a naturally-occurring or accidental problem. Whether we are simulating an attack or a defending against one, we will need to consider the perspective and potential actions of our opponent, trying to anticipate what they might do.

Another aspect of security is that it usually involves reasoning under uncertainty. By this, we mean that when we simulate an attack, we will never know everything there is to know about the machine/system/network/organization we are targeting. Conversely, as the defender, we will not be aware of every potential attack vector or vulnerability we might be exposed to.

Relevant Note(s): Software Development and Systems Engineering