undefined | Better HN

0 pointsryanSrich1y ago0 comments

If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do. I'm not saying you have to be a CSPM expert, but not even hearing about Wiz, when they are the largest CSPM, is somewhat concerning.

0 comments

msm_1y ago

I am in security for many years now, my main focus is reverse engineering (but I did many diverse things, including cryptography, some exploit development and the opposite, AV work, I did R&D in security automation and some development of security tools and engines).

I never even looked at a CSPM, and from my point of view[1] CSPMs are a tool only relevant for a small part of security teams focused on enterprise cloud security. Today is the first time I heard of Wiz.

edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.

[1] I wrote this only to stress how different people in the same field can see things differently.

tptacek1y ago

I've heard of Wiz, but would have had a hard time listing out their feature/benefit statement, because I don't work with CSPM tools. I don't think this "I have doubts about what you actually do" line is doing the work you want it to; it may be backfiring on you a bit.

ryanSrichOP1y ago

CNAPPs and CSPMs are extremely common tools in cybersecurity. This is my concern. If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have. There's a big responsibility as a security practitioner to stay up to date on new tools and techniques. CNAPP and CSPM is not some new thing that was invented last year. It's been around for a decade.

wglb1y ago

> . If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have

Here are some things that counter this:

https://users.ece.cmu.edu/~adrian/731-sp04/readings/Ptacek-N...: A paper that rocked the security industry at the time.

Tptacek also was cofounder of Matasano, now part of NCC; also cofounder of Latacora.

More info: https://sockpuppet.org/me/

Also the co-author of https://cryptopals.com/, https://microcorruption.com/login.

The author of https://www.latacora.com/blog/2018/04/03/cryptographic-right..., https://sockpuppet.org/blog/2015/01/15/against-dnssec/, https://sockpuppet.org/stuff/dnssec-qa.html,

These are about what I call hard-core security, hardly insanely niche, and hardly lacking critical knowledge.

philsnow1y ago

I’ve never heard or seen either of those terms before reading this thread. What you’re calling “CNAPP” I’ve been calling “endpoint security”. I’ve been building internal “CSPM” tooling since 2014 with like raw cloud api calls feeding into graphviz, CI-like tests in a terraform repo, transforming the state of a set of cloud accounts into a form I can shove into z3 and ask questions about, that kind of thing, but never heard it called that.

I suppose if your company prefers to build over buy, you won’t be exposed to the kind of knowledge and vocabulary that buyers in the space use to orient themselves.

csomar1y ago

CSPM solutions are what corporate buys when they don't want to invest in security. It is rubber-stamping and ass covering. From my experience most people involved with such platforms are rather technical sales people than actual security experts.

arachnids1y ago

You might want to google the person you’re arguing with

1 more reply

aleph_minus_one1y ago

> If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do.

IT security a very wide field. For example, a lot of positions in IT security are actually about compliance (i.e. lots of documentation), and ensuring the rollout of all necessary application patches in the whole company.

ramraj071y ago

I know diabetologists in India who didn't hear about Ozempic till late 2024.

Sometimes the simpler explanation is the correct one.

marcus0x621y ago

Compliance and patch/vulnerability management teams are a major constituency for CSPM tools.

nickpsecurity1y ago

I've been securing my cloud instances the same way I would for dedicated hardware. I use the same tools. I periodically eyeball usage data from the service providers to make sure their end is OK. Takes 5-15 minutes. Occasionally run updates. It all mostly just keeps chugging along.

What is a CSPM? Some cloud monitoring tool? What does it provide over open-source security and monitoring tools with years of field use that would make me invest time into it? Also, have these tools been thoroughly audited, scanned, fuzzed, and pentested by reputable people like some of the open source tools we've been using? Since tools are part of the attack surface, do these tools themselves increase or reduce it?

Serious questions since you think I should be very knowledgeable about these tools. My tech stack just works with minimal maintenance. So, I'd have to lose time on more important or fun stuff to even study CSPM or Wiz. Not counting setting it up.

1 more reply

udev40961y ago

Bullshit. Infosec is not just about highly inflated startups or whatever the fuck CSPM means. I know people who do exploit dev, reverse engineering, blue teaming and they have never heard of wiz. Stop overexaggerating

j / k navigate · click thread line to collapse

0 comments

msm_1y ago

edit Actually my partner works in policy/compliance/legal side of security, and I'm pretty sure she never heard of Wiz too.

[1] I wrote this only to stress how different people in the same field can see things differently.

tptacek1y ago

ryanSrichOP1y ago

wglb1y ago

> . If you're in cyber and don't have knowledge of these things you're either in something insanely niche, in research of some sort, or lack critical knowledge that you should have

Here are some things that counter this:

https://users.ece.cmu.edu/~adrian/731-sp04/readings/Ptacek-N...: A paper that rocked the security industry at the time.

Tptacek also was cofounder of Matasano, now part of NCC; also cofounder of Latacora.

More info: https://sockpuppet.org/me/

Also the co-author of https://cryptopals.com/, https://microcorruption.com/login.

The author of https://www.latacora.com/blog/2018/04/03/cryptographic-right..., https://sockpuppet.org/blog/2015/01/15/against-dnssec/, https://sockpuppet.org/stuff/dnssec-qa.html,

These are about what I call hard-core security, hardly insanely niche, and hardly lacking critical knowledge.

philsnow1y ago

I suppose if your company prefers to build over buy, you won’t be exposed to the kind of knowledge and vocabulary that buyers in the space use to orient themselves.

csomar1y ago

arachnids1y ago

You might want to google the person you’re arguing with

1 more reply

aleph_minus_one1y ago

> If you're in security and you haven't at least heard of Wiz, I have doubts about what you actually do.

ramraj071y ago

I know diabetologists in India who didn't hear about Ozempic till late 2024.

Sometimes the simpler explanation is the correct one.

marcus0x621y ago

Compliance and patch/vulnerability management teams are a major constituency for CSPM tools.

nickpsecurity1y ago

1 more reply

udev40961y ago

j / k navigate · click thread line to collapse