Wanted: Software Security Specialists... Are There Any?

Tuesday, November 22, 2011

Rafal Los


I keep seeing the requests for Software Security experts fly by in the Twittersphere, on blog posts, in LinkedIn messages and message boards... and now even recruiters are calling... so has everyone woken up to the criticality of software security? 

Or is it more safe to say that there simply aren't that many good resources around, and people are starting to get desperate?

If you're hiring software security experts - are you finding that the talent pools have all but dried up?  Many have, and are turning to alternative means for bringing this type of critical talent in-house. 

Whether you've partnered with a consulting shop, or simply outsourced your work... the neon sign is up and it reads "App Sec Pros Desperately Wanted".

It's interesting to see what has happened and why this sudden desperate need has exploded.  I believe that there are primarily 2 reasons for this sudden need of software security professionals.  All in all, I suspect that there is a very serious shortage out there, and we've got no one but ourselves to blame.

First off - the mere fact that software security is the new hotness in employment means that anyone who's even remotely employable is probably working, and being kept relatively happy at their jobs.  I've talked to several people who are great software security experts - but are not looking to move to a new role, or company. 

IT people not wanting to move around is pretty rare...  Keep in mind that software security people come from one of two backgrounds.  They've either been software developers who got it and started doing software security, or they're smart security guys and gals who worked on their software development skills and became experts. 

You don't just go to college, get a degree in 'software security' and walk into a job being great at it.  Mostly because that degree doesn't exist, but also because the days of being able to walk into a job like this are probably long behind us. 

Enterprises that have seen this coming have been grooming software developers to be security-smart for a while now, and they're just starting to reap the rewards.  The rest are pilfering from each other those security professionals who understand enough about code to be decent at it.

Perhaps not surprisingly, not every smart security-minded person can be a software security expert.  The problem is that software development is changing at such a rapid pace, and nearly every organization has their own quirky software package... it's tough to just walk in and know what's going on.  Heck, I know plenty of developers who can't keep up with the pace of change in the code, frameworks, and client/server technologies out there... throw in mobile and it's a mess.

I think the other reason that software security professionals are so difficult to find beyond the insane pace of change and difficulty to get into the profession - is that there is a new type of software security person required.  Rather than simply being able to understand code enough to run tools today's organizations are realizing that tools alone won't save you. 

A combination of risk analysis, threat modeling, code review, and architecture are needed.  More than being able to simply say "It's broken, look how I can break it" today's software security professional must be able to not only understand code, use technology - but also come up with creative solutions to the problems identified. 

Solving problems on a wide, architectural scale requires a different kind of security professional - a builder.  Builders are rare... just look at all the security conferences where 90% of the talks are about breaking.

So then back to the question - where are all the good software security professionals?  I honestly don't know that there are that many left that are unemployed, or unhappy enough to move about.  So that leaves the hiring agency or enterprise with a problem.  Looking internally might not be such a bad idea... so if you're left doing that, here are some tips...

  • start with great developers, those that can write code quickly, efficiently, but know where to go when they get stuck (intelligently, not just Google, cut, paste)
  • look for a curious mindset, someone who is always tinkering... sometimes those "lazy" developers are the best kind because they find wonderful shortcuts and ways to do things better, faster - as long as it's done securely
  • hire someone to partner with your internal staff... learning from trained professionals is key

If you can't get that right hire, or the right help internally... there's always the consultants and partners you can look to for help.  As the industry ramps up and really takes software security seriously, you'll see more of a shortage of qualified professionals. 

Don't be fooled by someone who can run a tool, or read some source code because software security is really about being able to understand requirements, code, architecture and break it - then provide advice for a fix to get your development organization on the right track to keep from repeating the same mistakes... after all, that's what the end goal is, right?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Enterprise Security Application Security Training Development Software Security Assurance Expert Infosec Skill Set
Post Rating I Like this!
Brett Scott Yes there are software security experts, but they are busy...
q t If you limit your search to profiles on social media and social networking at conferences, I think you limit your "professional" selection quite a bit. Advertising will probably draw in people who are actually looking rather than pimping an inflated ego. There are a lot of talented people, they just aren't tweeting 24/7 *in everyone's face* or podcasting, blogging, etc. because they're busy. It's possible you're limiting yourself to academia types who don't really care to work at a regular job anyway, which is why they drag out research projects, books, speaking engagements. I met quite a few... put them on a real job site in the front lines and they are completely lost. People holding down jobs might be looking or not. It's about advertising, interviewing, fact checking their background. Not about who has the most flash or biggest mouth.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.