I’ve recently was asked for a numerous time — “Is being a great developer vital when choosing information security as a professional career?”, so I decided to write a more in-depth answer to the question.
My answer below:
Necessary? By no means. Demand for development skills in infosec is raising, but the demand for general infosec specialists is growing even higher.
I know many fantastic security professionals, who just hate programming. They’ll code a bit to help themselves, to build some simple automation for their tasks, but they’d never write any serious application.
The market for infosec professionals is so wild, that it’ll eat almost anyone with any interest in security and some technical acumen.
Software engineers can easily become information security specialists
… and they bring a lot to the table, for organisations that need that kind of skill set.
The work required for software engineer/programmer to become security specialist will vary a lot depending on the person and their existing skills, aspirations and predispositions.
If you are a software engineer, then I would recommend to learn more about application security and then move into secure software engineering roles. While in that position, your goal should be to gain exposure to technologies and security processes. This will make it easier for you to switch between other professions within the cybersecurity industry.
If for example you’re a software QA engineer and you know how to test software, it doesn’t take much to start including security tests in your day to day work. It will allow you to realize after a couple of months that you’ve gotten the grasp of quite a few security issues!
If you’re a network engineer, then it makes sense to learn more about infrastructure and network security in order to move into positions such as network security engineer, incident response engineer, or a network penetration tester.
This approach should help you if you want to transition into cyber security at low cost and low anxiety. It makes it easier to make that transition, because if you have a solid background in building something it will come easier to you to figure out how to break it and secure it.
If you’re comfortable in a given specialisation, you won’t feel scared of the amounts of new knowledge you’ll need to possess and this will lower stress to ease you into the learning process.
So a software engineer who wants to transition into security role, should try applying security principles to whatever they’re currently doing — try to learn how to break the things they’ve built, and then how to make them more secure and impenetrable as possible. If you reiterate enough, you can become a security-savvy engineer who can easily add ‘security’ in front of their existing job title and becoming a security specialist in any given field.
I would suggest adding some good eye opening resources to your knowledge base. One that holds value for all types of security operations is learning about basic Security Architecture Principles. And then learning more depending on which fields of cybersecurity you want to explore.
Here are some great materials for Web and Mobile Applications:
- OWASP TOP10
- OWASP Application Security Verification Standard(ASVS)
- OWASP Security Code Review Guide
- OWASP Web Applications Testing Guide
- OWASP Mobile Testing Guide
Network and Infrastructure Security:
But the most foolproof and effective methods of learning security skills to me is doing the following: google stuff out. Start doing some fundamental research in your craft and google is your best friend here, and always will be. Sooner you learn the art of googling, is better because we use it a ton in our day to day work.
If you’re writing code in C++, then google “C++ security vulnerabilities”, or “writing secure code in C++”. If you’re deploying apps in cloud, such as AWS, then google “how to secure AWS applications”, “secure deployments in AWS” and so on. Learn as much as you can from search results and from the latest news, this will expand your security expertise as time goes by.
This way you’ll learn security skills relevant to what you’re currently doing and keep up with the latest cybersecurity trends, which will allow you to live and breath that knowledge and put it to practice in your projects.
You can become valued security professional from any IT specialization
I often get a question on how to become a security professional. And my answer is — by becoming a professional in any other field, or by working your way up from anything you’re currently doing. Reverse engineer requirements from job offers in your area and learn what they want you to know. Then strike at them as soon as you feel comfortable with your skills. Research & reverse engineer job offers & learn & practice & go on interviews & understand what you were missing and why they haven’t accepted you & learn the missing pieces & rinse & repeat until you get a job.
Appreciate the journey and don’t underestimate the value of having a varied background, do it all at the beginning because you’ve got time.
I started my adventure in IT from the very bottom, working as a computer technician, network admin, web programmer, and system administrator. After many years, I got involved in security. I do not regret the time I spent in previous positions because taking an indirect path provided many valuable experiences, all of which gave me perspective. My range of experience allows me to understand the problems many employees face, enabling me to make better decisions for the companies and teams I work with. I believe the security industry could benefit greatly from more diversity
However, if we’re considering a position where you have zero experience in security whatsoever, but have experience in other fields of IT, then I recommend becoming an expert in a different field. Start applying security concepts to your field of specialization. This has worked for so many talented professionals I know. Too many people want to get into security without prior experience in anything IT related. This doesn’t make most of them very valuable professionals because they tend to make myopic decisions without considering business context. Security is merely an addition to business operations, designed to support its longevity. It doesn’t exist on its own.
You can read pentesting and bug bounties blogs, but pasting random payloads without deep understanding will prevent you from contributing much to your organization. Dive deep into anything you learn, stay curious, and enjoy ‘expert’ status in a few years.
Enjoy the full Piece on Medium