Before I switched career paths to work in cybersecurity, I was a developer. Over the years, I worked primarily as a web developer, but I have also worked on desktop and mobile app projects. Because of that background, I have a keen sensitivity for how people on the receiving end of a penetration test report will view the findings, and I try to use that empathy to help pentesters avoid common pitfalls in their reports. Often, the people working in development departments know that the tools and libraries they are using are out of date, but they can’t get management buy-in to make updates and/or upgrades.
We can, and should, do what we can to support those people by providing them with good information without being condescending or patronizing.
To help spread this message, and hopefully encourage others to build bridges between the infosec and development worlds, I’ve given talks at Wild West Hackin’ Fest and other conferences about why developers hate cybersecurity and what we, as cybersecurity professionals, can do to make things better.