There’s a lot of different types of work that tend to get put into the bucket “security engineering”. This goal of this post is to describe how I categorize different kinds of work, and why this is useful. At the highest level, security work goes into one of four buckets: Work that prevents us from getting owned. In this bucket are things like fixing bugs as well fixing root causes so bugs don’t appear.
