Saturday, August 24, 2019

The Application Security Thought Process


I’m a believer in specialists.




Why? I know the principles behind flight but I couldn’t build an airplane, how internal combustion engines work but bring cars to mechanics, and share the same key board as prize winning novelists but couldn’t write one.


Specialists know something deeper than the tools and basic principles for their craft.


The difference that makes the difference in the value of the end product. 



Sometimes, people are surprised when I say that I prefer former developers to be application security engineers.  They shouldn’t be. I’m a believer in specialists.


I’ve had people tell me that traditional security engineers and new college hires without a development background can run the various and sundry static and dynamic scans.  I usually agree.


That said, if the underlying premise of having a cyber security team is to add value, what’s the fastest path to “value”? Training a security engineer in the dark arts and the intricacies of application development? Or teaching a former developer to dive deep into and focus on security? 


If you are just running scans and need to take the time of developers to interpret the results, I couldn’t articulate the value in that approach.  The executive team and dev team likely can't either.


The value is more clear with a former developer who should be able to not only interpret the results of static and dynamic scans but also identify potential security efficiencies with source code management, understand the CI/CD process, find vulnerabilities in API integration layers, write automated tests, automate security into the build process, and engage the development team in a language that they understand.


You know, something deeper than the tools and basic principles for their craft. The difference that makes the difference in the value of the end product. 


And that’s why I’m a believer in specialists.


Follow me on Twitter for discussion and the latest blog updates: @Opinionatedsec1. Or, start your own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read it.


SEE ALSO
 

The Secure DevOps Edge

The Cyber Recruiting Value-Add

The Five Pillars of a Successful Application Security Program



No comments:

Post a Comment