Security teams are typically infrastructure teams rather than product teams. Security teams make changes to existing products to make them more secure, which are usually trivial changes, not intellectually stimulating.
The interesting part is the planning happening before. For the first few months at Google, I did routine security fixes, which was boring but impactful. Then I found a project that allowed me to develop a more complex system for about 2 months, but that project has shipped to production and has concluded.
I am working actively with my manager to find projects that would allow me to write more complex software that will also help me grow technically. So the question is: how do I find these projects?
What I am doing now: stay up-to-date on new threats and what other security teams are doing at Google to see if I can draw some inspiration from them.
I’d push back a little on the notion that the 2 month project you did is truly “concluded”. Could you extend the project, apply it to more teams, or improve the discoverability of it?
To do more complex work: