Web Application Security

Working with Autism in Application Security

Gender disparities in STEM fields are a widespread and persistent problem.  Last month, some of my female coworkers hosted a webinar and sparked some discussion about these issues in application security.  It coincided with a great article in The Atlantic about the same thing, so it’s good that the community is devoting attention to diversity issues in general.

It’s a coincidence that I’d been diagnosed with autism at age 34, a few months earlier.  Social skills were on my mind.  Listening to women describe their problems, it struck me how many of them had to do with stereotypes and unwritten social expectations.  I already know about those things, because I’m black.

It’s the end of Autism Awareness Month as I write this.  I agree with the Autistic Self-Advocacy Network that acceptance is what’s actually necessary.  I’ve been at WhiteHat for over 6 years, and it hasn’t been an obstacle that I always wear the same all-black outfit with a hoodie and a beanie.  I tend to work from home a lot.  I was given an opportunity at WhiteHat because I’d just finished grad school, where I could mostly work at night by myself.

I don’t dislike people, but I don’t make eye contact.  I’m aware that autism can come across negatively, but I’ve always worked in settings where undiagnosed autism is more common and people let things slide.  Until getting diagnosed, I had no idea that socializing in groups didn’t sound like this to everyone else.  I just knew I could think better when it was quiet.  I didn’t consciously know that I needed to stim in order to think properly, but I knew I flip my pen constantly and generally pace in a big semi-circle around my apartment in between typing stuff while I work.

What I’ve really appreciated about working at WhiteHat is that all of that stuff was accommodated without calling it “disability accommodations.”  It’s been sobering to learn that I’m actually the world’s luckiest autistic person.  I dress the way I do for autism-related reasons, but it’s actually gotten other black autistic people killed.

The work I do fits my thinking style very well.  HTTP is a conversation, but with inanimate objects.  Last fall, Wired made the case that the security industry needs autistic people.  After noting that 70-90% of autistic people are unemployed or under-employed (!), and that there’s a massive cybersecurity workforce shortage, they add:

“At the same time, more than three-quarters of cognitively able individuals with autism have aptitudes and interests that make them well suited to cybersecurity careers. These include being very analytical and detail-oriented as well as honest and respectful of rules. And there are many other areas in which these talents could quite literally be employed.”

That matches my experience, and I think everyone could benefit from more autistic people being given the opportunity.

Tech jobs are appealing to autistic women for the same reasons they appeal to autistic men.   It would be unfortunate to gaslight them about their experiences and alienate them from the industry.  Unwanted touch is actually worse if you have problems with sensory sensitivity…

The examples of hoodies and sexual harassment show that “intersectionality” is a real thing affecting everyone’s coworkers, not just academic jargon. Stereotype threat is real and stressful, decreasing worker productivity. If you’re in a marginalized group, you know that your failures can be held up as an example of how hiring one of Them didn’t work out.  It’s good for society to acknowledge these things.

Autism Awareness Month is ending, and more autism awareness definitely would’ve helped me earlier in life!  I myself thought I couldn’t be autistic because I have empathy and not-the-worst social skills.  There’s a lot of undiagnosed autism in the tech industry, and it’s not really a joke.  I knew I was weird and I knew I used to line up my toys, but I could talk…if I have special autism abilities, they’re more verbal than mathematical.  Asperger Syndrome wasn’t in the DSM until 1994, when I was already 12.  I encourage anyone who’s wondered to get assessed, because it’s like an enlightenment experience.

I dodged a lot of bullets to end up in the Threat Research Center. It would be great if more of society could let a bit of awkwardness slide.  Everyone’s websites would be safer!