In the first article in this brand-new series, titled, Career Changers, CISO MAG reached out to software developers and DevSecOps specialists. For this article, we explore careers for software developers in the field of Cybersecurity. What are the opportunities for developers? What skills do they need to acquire to prepare for cybersecurity roles, and how long will it take to adjust to the new role?
By Brian Pereira, Editor-in-Chief, CISO MAG
Our first question was: What are the career opportunities for software developers in cybersecurity?
Ram Movva, President and Co-founder of Cyber Security Works (CSW) says there are a lot of career opportunities for software developers in cybersecurity.
“From a career opportunity perspective, a software developer can build products for the cybersecurity industry, especially SaaS-based software. We have 100+ openings for software developers in CSW and are building SaaS products,” says Movva.
We also spoke to DevSecOps specialists. Ambuj Kumar, DevSecOps Engineer at Curl, says software developers have a “bright career” if they come over to cybersecurity because they know coding, which is “helpful in the long run.”
Both Kumar and Movva believe that cybersecurity is important for every industry and every business. So, it does not matter which industry a software engineer is writing the code for – it is about the security aspects in the coding and “security by design.” In industry terms, this is called “shift-left,” which means security should come in at the very beginning of the software development lifecycle.
Riddhi Patel, Sr. DevSecOps Engineer at IBM, concurs with their views and says everyone wants their product or data to be secured. She tells us that organizations are now thinking more about secure coding principles.
“Enterprises have started understanding their liabilities and realize that having cybersecurity analysts in the organization is not enough. They are now training their developers to build security into software and learn code securely. Today, every organization is shifting security to the left in the software development lifecycle. So, it’s a great opportunity for developers to work with Security Engineers and learn more about cybersecurity,” says Patel.
Skills and Training
Our next question to them was about skilling and training. We asked: What are the additional skills that a software engineer needs to acquire? And what is the best way to go about it?
“Software professionals who understand the security aspects of safe coding can become successful security practitioners, ethical hackers, and security analysts. They can implement DevSecOps for companies that are building products or providing security services,” informs Movva. “If you are a major in computer science, with a B.Sc, MCA or BE degree, and know how to write code, you can thrive in the cybersecurity industry — even if you are fresh out of college.”
Kumar says software developers need to understand network security, web security, and mobile security — and different security vulnerabilities. He says they should opt for training and certifications such as OSCP, CISSP, CEH.
Brought to you by:
The EC-Council, which owns and publishes CISO MAG, offers various courses to train software engineers for cybersecurity. One can also pursue CISSP, CEH and other certifications through the EC-Council. View a list of courses and certifications here: https://www.eccouncil.org/programs/
The Right Approach
And what are the opportunities? What is the best approach?
“In my opinion, if a person is working as a developer/software engineer and thinking about a career in cybersecurity, I would suggest that they aspire to be a security engineer (DevSecOps Engineer). They can start understanding more about cybersecurity attacks and how they happen due to insecure coding — and the impact of those attacks. As much as they learn about security attacks, they can start thinking about secure coding, which is more in demand,” says Patel.
Patel also mentioned Static Application Security Testing (SAST), a white box method of testing where security engineers will have the source code, and they need to run a SAST tool. With this tool, they can review source code manually for some critical functionalities (like authentication, business logic functionalities, any payment-related functionality) to find the vulnerable functions or vulnerability in third-party libraries used in the application.
Another method is Dynamic Application Security Testing (DAST), a black-box testing method that examines an application while it is running to find vulnerabilities that can be exploited by an attacker.
“There are a lot of things to test in DAST, but one area that needs developer attention is to review client-side coding or a script which is executing at client side. I believe the experience of secure coding will help to find out vulnerable client-side code easily,” added Patel.
Patel also suggests that developers should take part in the discussion/process of threat modeling because it provides a better idea to develop secure code, which helps to understand how to focus on functionality based on the highest risk while developing and have the least authorization for the same that helps to reduce Application Vulnerability Risk.
So how long will it take to acquire all these skills?
Says Kumar, “Overall, for a software developer, it tasks five to six months of consistent hard work to establish a career in cybersecurity.”
Patel agrees and says it will take time to understand security concepts. But one must learn “in the right direction” and “be consistent.”
Views expressed in this article are personal and should not be attributed to the organizations where these individuals are employed.
About the Author
Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 27 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).