I've long held more or less these viewpoints. I find that because of the traditions that the field comes from, many in our profession (I'm an application security specialist who works in app pentesting and developer education, primarily) it is very difficult to get them across. I have even gotten a sort of dumbfounded stare when I ask "where do vulnerabilities come from? not out of nowhere!" and use the slogan "everything is application security" as an approximation to get people thinking. It sometimes works.
I do quibble with "engineer", however. In Canada, where I am, "Engineer" is what we call a protected title - professional associations restrict who can call themselves things like "physician" and "lawyer" - and this extends to "engineer". In fact (because professional certification is by province here) we've even one province's Order of Engineers who have had their lawyers send cease-and-desist to "software engineers" who were calling themselves that without the relevant academic and professional certifications. I think we can aspire to one day becoming part of that group, though, and some places are moving on it. I think one prerequisite to properly doing so will be to take notice of some of what our host has written about, which is why I mention the "quibble".
This gives a new perspective to how we see security.
I could not be more agree. Great writeup
I've long held more or less these viewpoints. I find that because of the traditions that the field comes from, many in our profession (I'm an application security specialist who works in app pentesting and developer education, primarily) it is very difficult to get them across. I have even gotten a sort of dumbfounded stare when I ask "where do vulnerabilities come from? not out of nowhere!" and use the slogan "everything is application security" as an approximation to get people thinking. It sometimes works.
I do quibble with "engineer", however. In Canada, where I am, "Engineer" is what we call a protected title - professional associations restrict who can call themselves things like "physician" and "lawyer" - and this extends to "engineer". In fact (because professional certification is by province here) we've even one province's Order of Engineers who have had their lawyers send cease-and-desist to "software engineers" who were calling themselves that without the relevant academic and professional certifications. I think we can aspire to one day becoming part of that group, though, and some places are moving on it. I think one prerequisite to properly doing so will be to take notice of some of what our host has written about, which is why I mention the "quibble".