This is the third blog (first one here, second one here, third on here) from a meeting of the North-East England chapter of (ISC)2, where security experts from the region used the world café conversational format to discuss a number of topics. I lead a table discussing secure software development and the topic of how important security skills are within the development team came up as a key issue.
Security skills are important across the business and software development is an area where technical depth of security knowledge is very important.
Looking around at job adverts for software developers you’ll rarely find any requirement for security skills amongst the plethora of other technical skills required. Randomly picking five local software development jobs (yes, my sample size is terrible) in my region yielded no mention of security in any of them, including one that was for a bank!
So if security isn’t listed as a requirement to get a job, why would a software developer choose to become skilled at security? There needs be a reason for someone to want to get a skill and for the average developer, looking at the average developer job, there appears to be little reason to be good at security.
There's a reason why SQL injection has topped the OWASP Top 10 for so long. SQL Injection isn't particularly difficult to stop, there are several different ways to stop it and there are automated testing tools that make it fairly simple to test for. Some basic security skills would see a huge reduction in issues like SQL injection.
What’s the Answer?
Many software developers do have security skills and those skills hopefully come under the banner of being an “experienced developer”.
The requirement for security skills is largely driven by business, if job adverts said that they required security skills from their developers then that would send a clear signal that security was an important part of software development and it would encourage developers to improve on that skill.
Given a little time, developers are generally very good at improving on skills they believe themselves to be deficient in.
I’m strongly in favour of having areas of speciality within a business and security should be one of those specialities, alongside things like automated testing and user interface design. Everyone can’t be an expert at everything.
So the ideal would be to have a general knowledge of security within development teams, but then have some people within your business who are passionate about security. Team members who constantly learn and move security forwards within the business, while having the experience to keep usability in mind. The term for this specialist is a Security Champion.
Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.