Security, it’s a topic that’s become near and dear to my heart as a software developer. But that doesn’t mean that every developer shares my perspective.
What’s more, we’re a funny breed. Despite being surrounded by so much of the most modern technology, we can often drag our feet on things that we know, somewhere deep down inside, we should be better skilled at.
Security is one of those topics and an important one at that. Given the security breaches in recent years, and the scale and severity of them, not to mention the impacts on peoples’ lives, it’s important that we take security more seriously.
The question is how? How do we get software engineers to take security more seriously? As developers, we’re often already 1) under significant pressure to deliver new features and 2) fix existing bugs based on deadlines outside of our control.
And on top of that, we have organizational stresses and pressures, such as the very public recount of the culture inside of Uber by former employee Susan J. Fowler. Combined, they can make it difficult to set aside the time to grow a security awareness and competency such that it’s a natural aspect of our daily lives.
But, if psychologists have shown us one thing it’s that when we care, we act. So the question is: how do we get software engineers to care about security, to care enough to improve their knowledge on a regular basis?
Well, today I’m going to impart to you five reasons why you, as a developer, should care about application security. I’m also going to show you practical steps which you can take — starting today — to do so.
You Can Help Avoid Falling Victim to Security Breaches
Let’s start off with the most basic of reasons: it can help you avoid both pain and embarrassment. Whether you’re working for a Fortune 500 company, a small community organization, or a startup if you create applications that are accessible on the web, they’re a potential target.
As such, the applications that you’re involved with, at some time, are likely to either be breached or have an attempt made on them. Breaches come in many forms, from something as simple as being defaced, to something as disastrous as financial and personal information being stolen and sold — as happened so publicly at Ashley Madison.
In times like these, reputations can be ruined and careers can come to an end. Perhaps I’m being a bit dramatic (perhaps I’m not). But, the more that’s on the line, the more that is lost, the more likely a scapegoat will be sought.
Don’t let that be you by being part of the problem. Don’t let it be you by not being a part of the solution. By building your security skills, you can help avoid this happening in the first place, as you’ll be better able to recognize when unsafe practices are used and insecure code is deployed, and by raising awareness of that with your team and management.
Build a Rewarding Career
Because it’s a topic both so intimately intertwined with computing, as well as having the potential to impact so many people so deeply — and so expensively — when breaches occur you can understand that it’s an in-demand subject. There’s a lot at stake which needs to be protected, and there’s often a lot to do to achieve that protection.
As a result, people such as Troy Hunt have demonstrated that by developing your security skills, you have the potential to build for yourself a very significant and rewarding career.
Whether that’s purely from the piece of mind which can come from knowing that the applications you’re involved in are better able to withstand attacks, by being able to travel the world, by teaching and training your peers, or by being called on regularly as a respected expert, the opportunities are there.
What’s more, with such an in-demand set of skills, it’s understandable that your regular remuneration will be higher than the average, broad-skilled developer. Sure, it takes dedication and focus to build your skills regularly. But even a casual glance of the opportunities might be enough to convince you.
You Can Reduce Your Workload
This might sound counter-intuitive, given that I just encouraged you to start setting time aside regularly to build your security skills. It might seem especially so when you look at how long some of the people I’ve linked to below have been involved in security.
Some, such as Bruce Schneier, have been involved with security since as early as 2004. And given that he was able to do so then, he had to have been learning for a lot longer.
But, consider the bigger picture and consider the long run. I agree that, at least in the short term, your workload will increase. It’s logical that it should. But, over the longer term, as your knowledge grows you won’t have to work as hard to maintain it, and it will be easier to continuously grow.
Then there’s the application-specific workload reduction. Research commonly indicates that when work is done up-front, it is often drastically less expensive than work done later or bolted on at the end. So too should this model hold concerning security.
Every developer is aware of technical debt and the cost it brings over time. Application security debt is no different. These costs, both monetary- and time-based, can become significant if left unchecked. However, if appropriately approached and managed, can lead to a reduced application lifecycle cost.
You May Gain More Respect
This is something which is hard to quantify in a tangible sense. Yet, it is worth noting nonetheless. Authorities in any field, whether that’s security, finance, sport — or anything else — generally enjoy a healthy amount of respect.
Often, this is as a direct result of the knowledge which they hold and can convey when required; often at conferences, speaking panels, writing books, being a guest on a podcast, or writing expert tutorials.
I’m not necessarily talking about security veterans such as Troy Hunt or Bruce Schneier. You could be the local expert in your city on security, or in your company. But, you could be regarded as an international expert, if that’s what your ambition and time allows.
Would you like to be considered an authority by your peers and colleagues? Would you be motivated to work harder and learn more if you were? Does the possibility of being invited to give your input and opinion because you’re considered an expert authority excite you?
I wouldn’t be surprised if you thought this point contained more than a hint of ego or narcissism. But it needn’t. Just because someone’s considered an expert doesn’t mean that they’re self-obsessed. Focused, yes. But often the genuine experts I’ve spoken with are quite humble and self-effacing people.
Regardless, if you’re keen for more respect, more opportunities, more experience, consider improving your security skills so that you can be a noted security authority.
The Resources Are Plentiful
From blogs and courses to podcasts and conferences, the resources abound. We’re all busy, but that shouldn’t prevent us from learning if we want to.
Given that, I’ve compiled a short list of resources for you to choose from, based on how you learn best, as well as how much time you have to spare.
- Cyber Security for Beginners
- Start Using Wireshark to Hack like a Pro
- Ethical Hacking: Hacking Web Applications
- Ethical Hacking: Hacking Web Servers
- Ethical Hacking: SQL Injection
- Penetration Testing and Ethical Hacking
- OWASP Training
- Troy Hunt: The Australian Microsoft Regional Director and MVP. He also tweets at @troyhunt.
- Krebs on Security by Brian Krebs. Brian is an independent investigative journalist, specializing in cybercrime. He also tweets at @briankrebs.
- Dark Reading: one of the most widely read cyber security news sites. It reports on attacks and the key ways to defend yourself against them.
- Schneier on Security by Bruce Schneier. Bruce’s been writing about security since 2004 and is the Chief Technology Officer of Resilient and a board member of the EFF (Electronic Frontier Foundation).
- OWASP Podcast
- Crypto-Gram Security Podcast
- Risky Business
- Down the Security Rabbithole
- Defensive Security
There’s five ways, five potential reasons why, as a software engineer, you should care more about security. They may not all be things that directly motivate nor inspire you. But I’d suggest that at least two or three may have struck a chord with you.
If, for no other reason than taking pride in your work, and in so doing knowing that the applications you’re involved in are [becoming as] secure as they can be, security should be on your radar.
Actually, it should be more than on your radar, it should be something which you take as seriously as software testing and scalable application design.
I hope that you’re inspired to care more, both more deeply and more passionately, than you have been up until now. I encourage you to check out the resources offered in the final section, as well as any of the preceding four and consider devoting part of your career to growing your application security skills.
About the author
Matthew Setter is an independent software developer and technical writer. He specializes in creating test-driven applications and writing about modern software practices, including continuous development, testing, and security.