BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Why Developers Will Be More Marketable If They Know This Skill

This article is more than 6 years old.

Being able to write code and build software or websites is a great skill on its own. However, developers can really level up their marketability if they learn how to help companies level up their security.

There is currently a shortage of cyber-security engineers and other security professionals--and it's one of the most in-demand tech jobs for the future. Translation? Devs who pursue knowledge in this arena will be in great shape when it comes to finding work.

Here's why developers should consider moving into a cyber-security career, and why development and security are skills that go well together.

Why software developers should learn more about security

Pexels.com

The Importance Of Good Security For Modern Companies

To some extent, the need for security speaks for itself: more companies than ever are handling vast amounts of sensitive information via their networks. That information needs to be protected. But cyber-crimes are estimated to cost the world as much as $6 trillion annually by 2021.

Alex Bekker, ‎VP of Engineering at ‎HackerOne, says, “There is no consistently reliable way to produce secure code, so organizations rely on a multi-layered approach to staying safe, which starts with developing with security in mind. Failing to do so dramatically increases the risk of a security breach and the significant damage it can do to the organization's brand and revenue.”

Mike Lemire, Compliance & Information Security Officer at Quick Base, adds that as cloud services have become more popular, the security needs of companies are evolving: "While most companies have security policies in place, these policies now need to specifically address use of cloud services, including aPaaS. And it’s important to educate employees on what data is okay to store in cloud services and what is not, and with whom they can share data."

Why Security Should Be Integral To The Development Process

Most companies have a security team and a development team--they function separately, with different responsibilities and goals.

However, many technical professionals believe it would be better for security and development professionals to work side-by-side.

"For far too long, security and development teams have been separated by different languages, tools, working styles, and how they communicate," says CTO & co-founder of Illumio PJ Kirner. "Teams should look for ways to bridge the gap to enable better collaboration and improve efficiencies. Solutions that use common data models and frameworks that are natural to both groups while serving their individual needs will help. And if you’re going to ask developers to participate in the process of defining security policy, that policy should be created in a language that developers can understand."

Josh Feinblum, Chief Security Officer at DigitalOcean, agrees that security and development teams should work with shared goals and tools. "Security practitioners must find creative ways to help developers whenever possible," he says. "This means deploying tools that make it easier and faster for developers to build and deploy code."

Renaud Deraison, cofounder & CTO of Tenable, would ideally take it one step further. "Traditional IT teams are composed of security specialists that often operate in a silo; the two departments are completely separate," Deraison explains. "As cyber threats continue to plague businesses, this structure is now at a crossroads, and enterprises need to shift how they are handling cyber risk."

Rather than simply having the teams work together, he'd like to see them blended, "I believe that businesses should no longer have a separate security team," he says. "Each and every IT person should be equipped with knowledge of security best practices so nothing slips through the cracks. Engineering and IT teams must have security expertise baked into their skillsets from the beginning."

In this kind of team, every engineer could be a cyber-security engineer--so security is prioritized every step of the way.

How Developers Can Take Control Of Their Own Code Security

Companies are still grappling with how to handle security, but developers who take the initiative on their own have a real chance to stand out.

To start the process toward being a cyber-security engineer--or even just a developer who can hold a conversation about security practices--there are a few things you can do.

Ayman Sayed, Chief Product Officer at CA Technologies, has three pieces of advice.

  1. "Take a course on application security and educate yourself on the latest trends in security practices. By educating yourself, you’ll be more savvy and make the process of secure development go a lot faster.
  2. Educate executives on the business-level benefits of security to get their buy-in. They’ll be able to assist in make organization-wide changes that will make it easier to prioritize security.
  3. Take responsibility for the security of your own code. Don’t let the final quality check department be only place where security is considered. By thinking about and testing for security early, it is a lot easier to fix."

When you're looking to enter a cyber-security career, having a background in non-security-related development can be helpful. It gives you a more well-rounded perspective than someone who has only focused on security for their entire education or career.

Developers looking to become cyber-security engineers have plenty of options for teaching themselves security skills, says Bekker. "The internet is chock-full of valuable resources, including hacker101 and e-learning platforms such as Udemy or Udacity."

Krishna Narayanaswamy, founder and Chief Scientist at Netskope, has specific advice for security issues to focus on during the development process. "If the program deals with sensitive information like passwords, private keys and OAuth tokens, it is important to protect the data by using strong encryption with a mature key storage and management procedure," he says. "Also it is a must that sensitive data is never stored within the program as it can be easily exposed and compromise the entire system."

Steps Companies Can Take To Be More Security-Proactive

Supporting and encouraging developers to add security skills to their arsenal is an important first step for companies. However, it's also important to establish specific policies and institutional practices so there are clear procedures in place as the company moves toward a new way of doing things.

According to a report conducted by CA Technologies, senior management often prioritizes time-to-market over fixing security concerns. Sayed notes, “The report show that developers care about writing secure code, but top-down cultural pressures like executive demands for aggressive release schedules can put those concerns on the back burner. Success across all fronts needs a developer-driven culture because they are the ones who know what the code needs to be good.”

Sayed adds a few more pieces of survey-based advice for companies looking to pursue a holistic security strategy:

  1. "47 percent of survey respondents said they lack proper tools to make security integral to the entire software development process. Focus on tooling and best practice, and don't reinvent the wheel.
  2. 59 percent of survey respondents cited a lack of budget from their organization as a top challenge in embedding security. Solve this by leveraging experience and talent between teams, identifying gaps, and providing an opportunity to plug them."

Ultimately, security needs to be prioritized in all phases of the development process, and from the top level of management to the lowest on the totem pole. Prioritizing it now offers the potential to save companies a lot of time, money, and hassle by preventing security failures in the future.

Follow me on Twitter or LinkedInCheck out my website