In an upcoming blog entry, could you post the characteristics of what a software security architect looks like from an HR perspective?
In my experience, it is a mix that depends on what you are looking to do. Deep experience in one or more areas is important. The ability to do normal architecture things in terms of having the ability to deal with and create a conceptual model that maps functional and non-functional requirements together. In addition, the security architect must have the ability to deal with and create the threat model and risk analysis that results from the requirements. This requires the ability to think like an attacker, and create actionable models and countermeasures. A working understanding of risk management practices. Lastly, a large part is understanding the security protocols and standards, where they work, where they don't and how to integrate them.
How much should these folks get paid?
Likely slightly more (10%?) than "normal" architects, because they need to span several disciplines.
How can I distinguish them easily from just regular software developers?
Some things that can help are: 1) they need to be able to span lots of technologies typically. One week may be XML, MQ and J2EE and the next .Net. So a broad understanding of the technologies and underlying security protocols and standards are available. 2) Ability to make order out of chaos. 3) the ability to understand and work in a process and comfortable with incrementally achieving results over time.
"Programming a computer is straightforward: keep hammering away at the problem until the computer does what it's supposed to do. Large application programs and operating systems are a lot more complicated, but the methodology is basically the same. Writing a reliable computer program is much harder, because the program needs to work even in the face of random errors and mistakes: Murphy's computer, if you will. Significant research has gone into reliable software design, and there are many mission-critical software applications that are designed to withstand Murphy.
Writing a secure computer program is another matter entirely. Security involves making sure things work, not in the presence of random faults, but in the face of an intelligent and malicious adversary trying to ensure that things fail in the worst possible way at the worst possible time...again and again. It truly is programming Satan's computer.
Security engineering is different from any other kind of programming...
Security Engineering (...) requires you to think differently. You need to figure out not how something works, but how something can be made to not work. You have to imagine an intelligent and malicious adversary inside your system (…) constantly trying new ways to subvert it. You have to think like an alien.
As the late great science fiction editor John W. Campbell, said: "An alien thinks as well as a human, but not like a human." Computer security is a lot like that."