Why security expert Brook Schoenfield is denying DevSecOps

After spending years building up a reputation for highly regarded cyber security firms such as McAfee and CISCO, Brook Schoenfield decided to use his experience to write a book called Securing Systems: Applied Security Architecture and Threat Models.’ . This gained him even more traction in his sector and he now works at IOActive as a Master Security Architect where he spends his days building robust, self-sustaining security architecture programmes. Joining us at 8am US time, Schoenfeld’s positive demeanour was contagious. Full of energy, he spoke about the people that he knew and the things that had happened through his career to get him where he is today.

It is clear that Schoenfield has a deep-set knowledge of cyber security and when asked why it is so important today, he spoke of how there needs to be somebody in charge of the rapidly developing problems we are exposing ourselves to. “Basically, the internet is giving us the ability to connect. But nobody is policing it. It’s very easy to be anonymous. We are getting close to maybe 7.5 billion on the planet and not everybody is connected. But for those of us who are connected, the internet and digital stuff is key. Why? Because banks use it to transfer money around and pay things and build things. You don’t actually have any money in your bank, right? You have a bunch of zeros and ones. And you can just bring that right down to the phone in your pocket. All these computers. And they are general purpose computers, these phones today, if you want to use them for entertainment, or whatever you want to think about, our lives are incredibly meshed in this digital world and it gives people the opportunity to steal and take and with a good deal of anonymity.”

He goes on to discuss the easiness that hackers have to become anonymous online and to get away with the problems they cause. “If you accost a person, there’s some danger in that and also that the person might recognise you and be able to point you out in a line up. But in the internet, you don’t have to be close to a person, you could be thousands of kilometres away on the other side of the planet. And still carry off your burglary or whatever. It’s not that these gangs don’t want the usual things, but they are cyber-criminal enterprises.”

A world-wide issue

In his eccentric character, he suddenly remembers something and starts to talk about a story from ten years ago, when the Russian Mob (which he just gives as an example) claimed they could make $11 billion on illegal cyber activity. Which brings the security expert to discussing the wider impact that hacking is having.

Despite the early morning croak in is voice, it was easy to hear how passionate and knowledgeable Schoenfield is about what he does, especially as he continued on the topic of world-wide hacking issues.  “Whatever you want to call it, there’s a bunch of nation states attacking each other all the time. I don’t want to pick on anybody, and I certainly don’t want to be jingoistic about my own country (USA), because we are the first ones to admit to a cyber-attack. These countries are attacking each other and so we become the regular old collateral damage citizens. And companies that have interesting stuff that one or more countries want, they are targets of super states that have computers, thousands of resources, $60 billion-dollar budgets. That’s an actual number of the black number of cyber stuffs of the NSA, one of our spy agencies. So, assume that [other powerful countries] have equally fat budgets and you realise that all of that’s going on in the internet right now.”

“All the connected people who do their banking on the smart phone in this world. Buy our petrol with a payment card and go to the supermarket and buy our groceries with a payment card, we’re all part of the collateral damage getting ready to attack, or just be hurt because we happen to be in the wrong place cybernetically at the wrong time. And that’s the situation in which we live. So, is security important? Well, all if this falls apart, and is falling apart anyway in its own way. Lots of people get hurt all the time, faster than I could go through the whole literary of accounts drained and what not, never the less, we’re just trying to get on with our lives, and if we, the security industry, can find a way to protect people, it would be a good thing. And protect our enterprises so we could go on with their businesses to drive our economy. All of this is important and affects everything basically at It’s a pretty serious situation.” He continued.

Ethical hacking

Having worked for a firm  who discover hacks in anything from robots to planes, Schoenfeld’s repertoire in cybersecurity is varied to say the least. As part of his portfolio of expertise, the master security architect has been described as an ‘ethical hacker’. When questioned about this, he discusses how although this is true for him, a lot of this type of work generally revolves around money and the work we choose to do. But he also talks about he wanted to do it as a way to improve things. “We are all trying to make the world better, without adding clients. We are all doing something. We are busy digging into some piece of software, a car, and seeing how it will break. Not only whoever producers that software, but whoever producers the industry.”

After another anecdote about his colleagues breaking remotely into a journalist’s car, Schoenfield puts aside the ethical hacker role and talks about his real passion in life. “My focus has been around software and how to build it well. I am the technical lead for our programme for technical design. So, you build software and you try to get all of the mistakes out of it. Not only do you build the software, but you have to implement and get right, but you also have to get the security right, too. And I run the security design, basically. And that’s what I’m known for. It just so happens that when I got my second security job, I had then a chief designer, who had a lot of security with that, and at that time, almost nobody came out of a software background. So, CISCO systems ate me up because there wasn’t a lot of people with design experience. There had people like hackers, but they didn’t have people with design experience. They wanted someone who could structure it and think about how things go. So, that’s been my experience for the last 20 years. And that’s what my book’s about.”


He finishes by talking about how he dismisses the idea of DevSecOps and how he simply believes that developers and those in security need to start working together more in general to produce to the best work. “I learnt from the agile teams that you can’t just drop in, you have to work on the teams, you have to be part of things, you can’t just input on a load of things and walk away, you have to be part of it. A lot of it is cultural and you have to establish the relationship”

He adds, “Being contrary, I believe that security doesn’t play a different role to anything else in software. We may call it a different name, but does it make it any more special? No! It has to do a job and that role may involve a different process, but it still has to be done. Security people bring a different kind of knowledge, but in the same way other team members do too. I don’t care what you call it, but let’s think about what we need to do.”



Related Posts