Concept of purple teaming is something I felt in love with many years ago when I was experimenting with various ways to make myself more effective. Everything has changed — in a good way — when I started embracing culture of collaboration where attackers and defenders work together to create best possible way of securing the products.
We’re out there to help secure business by working with all stakeholders, not to just pwn stuff and laugh at people who made a mistake. Being a pwn-all-the-things rockstar asshole is overrated and while fun in short term, gives terrible results long-term.
Purple teaming for the win and let’s see how this great concept can be applied into day to day business operations that go beyond security red and blue teaming.
Become a member of each department
Having an independent security department is expensive and hard to scale. It’s really effective to work side by side with people who ship the products, especially in small organizations where security culture isn’t yet established and people don’t report all the things you’d expected them to.
As an 3rd party consultancy entity you’ll be often late to the party, because people either forget, don’t have enough time for proper communication or are afraid that you’ll introduce additional burden to their existing workflow.
Becoming a team member will make everyone more socially comfortable with your presence and role which enables you to do your work efficiently. Some of us painfully learnt that approach “we VS developers” doesn’t really work if the goal is to create healthy and friendly environment. It creates toxic atmosphere where people do their best to hide stuff from you instead of collaborating on convenient solution.
Join one team for a few weeks and then jump into another to create good relationship with your peers across the whole organisation. Don’t just sit in your cubicle waiting for someone to call you for help, because that’s not going to happen.
Delegate instead of trying to fix everything yourself
To maximize your impact, you should learn how to delegate some of your workload, because there is so much to be done continuously that if you put everything on your shoulders you may become a bottleneck for security improvements which is completely in contrary to what you want to achieve.
Except of time management and the fact you can’t always be a one man army there is an important educational purpose of tasks delegation.
By relaying work to a person who wrote or deployed the code/service, you help them understand mistakes they’ve made so they know how to do it better in the future. If you fix everything yourself behind the scenes, people will keep making the same mistakes over and over again, because they may not be even aware that they did something wrong as no one ever raised any concerns in regards to their code quality.
Apply the same approach in all aspects of the business and educate people how to do their day to day work securely. You can also teach internal QA teams to do basic security testing thanks to which you’ll have additional eyes looking at the products from different perspective.
Use your exceptional skillset to focus on things that matter and leave rest of stuff to others who’re more capable or who’re actually supposed to do that type of work.
If you’re great web pentester and good software engineer you surely can fix the bug you’ve found, but is it the smartest thing to do? If you’re the only security expert while there are 50 software engineers in the company you’re better off delegating the fix to others so you can focus on things only you can do.