As security (cyber) becomes more and more important, to businesses, governments, and also to our personal lives, the need for good security engineers and researchers is increasing at a rapid pace.
This is true whether one is working in an entry-level position or is already a senior researcher.
It is often said in the security industry that “It is easier to teach a developer about security than it is to teach a security researcher about development (coding).”
Information security professionals are used to seeing, experiencing and talking about failures in the industry. This usually leads them to assume that badly written (vulnerable) code is always the product of unskilled developers. If these professionals have never been exposed to software development, even at a small scale, then they do not have a fair understanding of the complex challenges that developers face in secure code development. And I think that a security professional cannot be effective in designing detective and preventive security controls (tools, architectures, processes) if he or she doesn’t appreciate these challenges.
Let me illustrate that with an example- ‘code injection” attacks against NoSQL databases versus SQL databases. Simply put, SQL and NoSQL databases both collect, organize and accept queries for information, and so both are exposed to malicious code injections. So, when NoSQL databases became popular, people were quick to predict that NoSQL injection would become as common as SQL injection. Though that is theoretically true, developers know that it’s not that simple.
If you take sometime out understanding NoSQL databases, you will quickly realize that there are a wide variety of query formats, from SQL like queries (Cassandra), to JSON based queries (MongoDB, DynamoDB), and to assembly like queries (Redis). And so security recommendations and tools for a NoSQL environment have to be targeted to the individual server that is underneath. Also, your security testing tools must have the injection attacks that are in the format of that specific database. And so one cannot blindly recommend controls or preventive measures, without understanding that the vulnerabilities are not available on all platforms. Encoding recommendations for data will be specific to the database type as well. This OWASP article explains how one can test for noSQL injection vulnerabilities.
This is all the knowledge that one can learn by digging deep into a subject and experimenting with technologies at a developer level. And so people with development backgrounds can also, often times, give better technical advice.
If one looks at the people leading security programs or initiatives at companies like Apple, Facebook, Google, and other large successful tech companies, many of them are respected because they are also keeping their hands on the keyboards and are speaking from direct knowledge. They not only provide advice and research but also tools and techniques to empower others in the same industry.
So to summarise, I would like to say that whether one is a newly graduated engineer or a senior security professional or a security researcher, one should never lose sight of the code, as that is where it all begins!
Picture courtesy: http://www.icd10forpt.com