The Quality Assurance Mindset

Bruce Schneier has a new commentary at Wired, Inside the Twisted Mind of the Security Professional, in which he notes that “Security requires a particluar mindset”:

Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.

I would argue that the security mindset is a specialization of the QA mindset.
Bruce Schneier comments further:

I’ve often speculated about how much of this is innate, and how much is teachable. In general, I think it’s a particular way of looking at the world, and that it’s far easier to teach someone domain expertise — cryptography or software security or safecracking or document forgery — than it is to teach someone a security mindset.

My wife often calls me a natural-born QA engineer. In general, I take that as a compliment, which isn’t usually the way my wife intends it.