Tuesday, May 31, 2022

Do You Code? Security Chops Will Boost Your Career

 

As a web application developer 20 years ago, I knew almost nothing about security. I remember building what seemed like a great feature that turned out to be an excellent example of How-to-Enable-a-Successful-Phishing-Attack. I was coding a Java servlet to take HTTP requests from browsers and process them. Wouldn't it be cool, I thought, if the servlet allowed for redirection to another page or another website if a special URL parameter was present? That could come in really handy!

Only later did I realize that I'd coded an open redirect vulnerability. This "feature" actually made it into production, but fortunately the special parameter name was undocumented and not easily guessable. A static analysis of the codebase would have easily found on this flaw, but no such tools existed back then.

Fast foward 20 years and employers now expect their developers to understand how to code securely. There have been too many successful hacks and appalling data breaches due to vulnerable code and poorly designed software. It's finally understood that developers play a key role when it comes to cybersecurity.

For this reason, having security chops as a developer will enhance your career. A recent study by Burning Glass Technologies found that Application Development Security will be the fastest growing cybersecurity skill from 2021 to 2025. The same study reported that on average you'll get a $12,266 salary boost by possessing that skillset.

Besides the potential for a boost in salary, there's no better feeling than writing elegant code as a developer. But what if your code allows for SQL injection? That's not elegant. Elegant code works perfectly to accomplish some task, performs well, and stands up to cyber-attacks.

To put it another way, successful software is like a 3-legged stool where the legs are functionality, performance, and security. Take away any one leg and it will fall over. 

Stepping back for a minute, let's discuss why developers historically haven't been interested in security. One of the primary reasons is they simply weren't incentivized to pay attention to it. Their performance was judged based on delivering working software on time. Security wasn't a consideration. Additionally, Computer Science programs at colleges and universities typically haven't taught secure coding. A few electives covering high-level concepts like privacy or cryptography might be available, but usually nothing practical for the real world like using parameterized queries to prevent SQL injection or properly encoding untrusted data to avoid cross-site scripting.

So as a developer, how do you acquire security skills? 

There are many ways to learn. The OWASP Top 10 is a good place to start. It explains the common types of application vulnerabilities, why they occur, and how they are exploited by adversaries. The Udemy course An Introduction to OWASP Top 10 Vulnerabilities is another good resource.

See if your employer offers interactive secure code training. One such offering is Veracode Security Labs, which allows you to try exploits on real apps, fix the code to squash the vulnerabilities, and earn certificates to showcase your secure coding knowledge. If your employer doesn't have Security Labs, you can still use the community edition or register for a free trial of the full version.

Check if your employer has a Security Champions program that you can join. As a security champion, you'll be a voice for security within the development organization and your security skills will expand while being more visible at the same time.

Here are some other resources to consider:

Good luck in your secure coding adventures and a more lucrative career!

(This post first published as a LinkedIn article)