Can I write a sentence about offensive security engineers?

[oliviagallucci]

secure-sw-dev-fundamentals/secure_software_development_fundamentals.md

Lines 272 to 274 in 6363337

	Note that in this course we focus on attackers, not hackers. In the computer community the term “hacker” is widely used to identify *“a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.”* ([IETF RFC 1983](https://tools.ietf.org/html/rfc1983)). By this definition, many hackers never attack computer systems, and many attackers are not hackers. This course focuses on foiling attackers.
	If you are looking for ideas for potential security requirements, one source is the [*Common Criteria for Information Technology Security Evaluation” (CC) part 2*](https://www.commoncriteriaportal.org/), which is freely available. The CC is an international standard for evaluating security that was originally developed in 1994. The vast majority of software developed today does not undergo a CC evaluation, in part because it is often both expensive and time-consuming to have an external lab formally evaluate your software using the CC. However, you can still look at the CC for ideas even if you will not use an evaluation lab. The CC is publicly available and has 3 parts: part 1 is an introduction, part 2 is a list of common security functional requirements, and part 3 is a list of common assurance requirements. Part 2 in particular is a list of *“security functions you might require”*. If you suspect your system will need some special security requirements, but are not sure what those might be, part 2 provides a long list of ideas that might be useful. Some of its terminology is arcane, but it includes a glossary which can help.

I think this would be a great place to mention hiring OffSec folks to test software, systems, and networks, specifically if they feel they need extra assistance understanding the current threats in their software and how they can be exploited. Purple teams, which are harder to make well and more expensive, are also beneficial because they can help the developers find the exact code that is being exploited.

[david-a-wheeler]

We could. We need to be careful to not add too much here, since this is primarily about "what the course is and isnt'", and we want to quickly get them into the course materials. If you want to propose just a sentence or two, that might work. You might want to include "penetration testing" - that'a s term more people would know.

However - you might get more "bang for your buck" by adding material later, e.g., in verification. At the early part of the course, the learner doesn't really understand what this is all about. By that point, the learner knows much more, so you can actually discuss more usefully how different expertise can be used together.

[oliviagallucci]

Awesome. I am working on a section for this now.

[oliviagallucci]

Also, doing a section for purple team too.