« Why Getting Involved Early Matters | Main | Where We Are and Where We Are Going »


Adrian Lane

If security professionals going into coding is the goal, heck yes! The are even more facets to this problem than what you describe. People who know security, who can think like a criminal, who have the level of skepticism and cynicism that it takes in this profession absolutely fail the typical HR acid test of "perky and eager to work for our team". Candidates barely make it in the door. More than that, most dev managers have no clue how to interview a candidates with a security background; what questions to ask, what skills and approach to problem solving to look for. On the other side of the coin, I find some types of security professionals are more readily adaptable to the structured and detail oriented approach to coding larger, more complex applications ... a lot of security researchers are excellent at ripping off a prototype, but kinda suck at more rigorous approach to object oriented programming, processes and disciplines. It's a mindset thing. Some are no-BS, "I don't need no stinkin' process" get to the heart of the matter kind of people, and others are rigorous and detail oriented obsessives. Feel free to disagree with my generalization, but I'd take a web app hacker for product strategy and a cryptographer for development rather than the other way around.

Good post and great recommendation, by the way.



Hi Adrian,

Its not about turning security people into coders, its about integrating security mechanisms. This means you have to understand software and data. Practically speaking, you have to understand the design issue it could be expressed by coding, but its more likely that it means config (one of the themes in EIP is applications are more configured than coded), architecture, testing, and so on.

A seat belt only work if its in the right place for the driver to use it. An airbag doesn't work if its on the outside of the car, it has to be in the steering wheel.

The time for defining abstract security policies and not anchoring them in concrete architecture is over.

Your point on HR is well taken, but I also know plenty of good developers who can fail at this, so we'll just have to work around this and tell the HR people who we are going to hire ;-P

Andre Gironda

as a webapp hacker-developer product-strategy-cryptographer like yourselves, i must say that design is a step for the "process" but the constant process of design throughout construction is what really matters: refactoring.

define it how you will, prototyping the best definition i've even heard so far, but without process you have nothing, albeit the process never has to come from up above. no lead developer, no product manager, no guidance ever need take place when in the dev shop surrounded by minds of pure dev expertise.

that means no cowboy coders, but only enterprise architects of the highest caliber. do these people read a book or two about patterns? no, sir, they have read all of them from bertrand meyer to david garland -- decades before the current time.

i must agree with gunnar that the best "on our security industry team" right now have got to be enterprise architects and lead developers. we've also got data classification experts and these things that most people forget about called "data owners" aka "customers". if only their voices could be heard.

The comments to this entry are closed.