Careers in Application SecurityIT Security Pros Face a Bright Future in Software Development
"Developers often don't understand the security standards and requirements that need to be addressed in developing software," says Tychansky, an application security advisory board member for (ISC)2. "My role is to show them how they can apply these recommended standards and best practices in their program."
Tychansky, represents a growing population of IT security professionals worldwide that is getting involved in application security as a new job focus. According to a recent (ISC)2 global workforce study that polled more than 10,000 private- and public-sector information security professionals globally, 22 percent of respondents are involved in some aspect of the software development process. The main reason: the growing risks caused by a variety of development tasks.
"All new innovations in application technology and product offerings by an organization carry an inherent expectation that security will be built-in," says Alessandro Moretti, a senior IT risk executive at UBS Investment Bank in the United Kingdom. "This is pushing the need for IT security to get involved."
In his own role, he has seen involvement in application security in the form of mitigating risks and concerns springing from new product offerings that embrace mobile technology and social media. As a risk manager, Moretti now works closely with software developers to ensure that IT security is part of the development process.
For decades both communities of highly skilled experts - information security and application developers - have remained in near complete isolation from each other, resulting in a software development process that lacks any sort of understanding of technical security risks or concepts.
The information security mindset is focused on risk reduction and achieving assurance. But for a traditional application developer, IT security has been just another attribute of quality that needs to be checked. This perspective is changing.
Bridging the SilosEmerging technologies, application vulnerabilities and regulatory compliance are forcing organizations to bridge the development and security silos and find avenues for interdisciplinary cooperation to produce software that is secure and better equipped to resist well-known and easily predicted attacks.
Take the case of Tychansky. He embraces a security mentorship role for application developers and constantly communicates with the group to help them understand the impact of security on software development and delivery practices. Example: pointing out which part of codes is usually exploitable and how the vulnerabilities can be fixed. Further, he plays an active role in educating developers on best IT security guidelines and practices from the National Institute of Standards and Technology , Open Web Application Security Project and the International Organization for Standardization to help them integrate security into the software development process.
"The companies that have found a path through the maze," says Alan Paller, director of research at the SANS Institute, "have identified a security-interested development leader on each development team that is trained in secure coding and can shoulder the responsibility for building security skills into every application by leading that element of the architecture, engineering and development process."
Making the TransitionFor Brad Causey, a global chapter leader at OWASP, the transition to application development is similar to what Paller notes. From a network and security architecture role, he became an application security leader at a financial institution that is ranked among the top 30 U.S. bank holding companies.
"I saw a growing demand in web application security and realized I could do this, as I understood both security and the risks associated with software development," Causey says.
He finds that understanding IT risks and communicating them to the developers is a big gap he fills. For instance, a software developer does not often understand how an attacker can compromise a web application, exposing the entire network through a single port, resulting in a compromise and the subsequent risks associated with it.
"It is the security professionals who are trained to break and exploit systems to identify potential vulnerabilities and weaknesses in the system," Tychansky says.
Security professionals have spent their entire careers responding to attacks against real systems, analyzing codes and forensics on software, studying attack profiles, understanding common vulnerabilities and threats in applications, impact of weak security controls around software and how to mitigate these risks.
And as such, they are in a position to get involved in the software development process in their own capacities and offer their security guidance and expertise to fill the gaps and challenges that organizations are face when tackling software security appropriately.
Also, the transition for security professionals is advantageous in terms of both salaries and job opportunities within the industry. The salary for an average application developer is around $93,000 USD, (Indeed.com) which is significantly higher than what an average security professional makes: $78,000 USD [(ISC)2 survey].
Online companies and tech firms such as Google, Apple, Amazon, Facebook are increasingly looking for innovative thinkers with knowledge of Android and mobile applications.
Further, the focus on identity management, secure products and access control is driving the need for these professionals in traditional financial institutions, government agencies and healthcare organizations. Positions range from qualified security programmers, web application developers, software engineers to security architects.
New Skills NeededSecurity professionals embracing application security roles need to acquire new skills, including an understanding of secure coding and the software lifecycle development process. Causey, who made this transition, recommends:
- Education: in-depth knowledge of application architecture, the scope and effect of web applications and the risks they pose.
- Language: Security professionals should get trained in reading at least one or two languages such as Java or .NET to understand how codes can be securely written.
- Associations: Organizations such as ISC2, OWASP, SANS Institute and ISO provide specific training and education for security professionals in this field, and Causey suggests reaching out and becoming a member for more exposure and knowledge.
"This is not a hard transition for security professionals," Causey says. "In the next several years, the percentage of every company's security team will grow up to 60% by application security folks. This is the time to think beyond firewalls and access controls."