> Security research is inherently adversarial in nature
Interesting. My perception is it's often based on bragging rights. Which is more about ego than about an adversary. According to that theory, what matters is how deeply you understand systems or how determined you are to go the extra mile to find issues.
This extends to organizations which want to bolster their image by being at the leading edge of research.
Anyway, having an adversary is part of the picture, but what you really care about is not the victory over that adversary but your superiority on the battlefield
Perhaps I was taking "adversarial" too literally, but to me it normally suggests an antagonistic or hostile attitude toward the other side. For example, if two next door neighbors don't get along and one of them reports any little infraction to their homeowners' association, they are adversarial. It's sort of the opposite of cooperative.
And this is not how I see the motivation and attitude of most security people. For them it is mostly about the satisfaction of (or other inclination toward) understanding how and where something might be vulnerable to exploit. It is a particular type of thinking related to creativity, thinking outside the box, and seeing things from a different perspective. (So basically what Schneier's essay says. Which fits with my point.)
There is nothing sophisticated or clever about a neighbor calling the homeowners' association. What they're interested in is the effect their actions will have on their adversary. But a security researcher doesn't usually care to actually exploit vulnerabilities. Or if they do, it is only to prove that the vulnerability exists, not to gain from it.
So, getting back to the original point, I just don't follow the reasoning that security researchers would prefer to avoid finding holes in their own employer's systems. If they viewed everything as us vs. them, then yes, they would want to take sides and protect their employer. Instead, I think that because what they really care about is understanding vulnerabilities, they would want to understand them wherever they see them, own employer's systems included.
Interesting. My perception is it's often based on bragging rights. Which is more about ego than about an adversary. According to that theory, what matters is how deeply you understand systems or how determined you are to go the extra mile to find issues.
This extends to organizations which want to bolster their image by being at the leading edge of research.
Anyway, having an adversary is part of the picture, but what you really care about is not the victory over that adversary but your superiority on the battlefield