This is an interesting topic, my reasoning for writing this will become clear in the not too distant future, however not many organizations that are actively writing code have many folks focused or dedicated exclusively to security, if you do, bravo for your organization it cares about their users, their developers and it’s reputation. If you’re one of the organizations that don’t, well then shame on your management, & you should take up the cause to change it. If you’re organization is in the process of changing from the status quo to understanding that you need some dedicated security resources well that’s excellent. I am not writing to convince you that you need security resources, that will be a different topic on a different day. Today I am working to define what a security engineer is, so when I convince you that you need one in the future, well you’ll already know what you need & how to develop them.
What is a Security Engineer?
A security engineer, at the most basic form is someone dedicated to ensuring the software developed by a software development team is a secure and safe as it possibly can be from anyone that would wish to do you or your organization harm. However it goes I believe that it goes much much deeper then that. A security engineer has to be a passionate individual with a passion and a tenacity for the job, they need to be ever curious and have the humility to accept they’re wrong but have the zeal and the guts to stand up for the injustice of insecure code. Because of their passion for security they need to be natural leaders, willing to work with anyone: managers, VP’s developers, testers, customers, partners. If that weren’t enough a security engineer needs to be someone who pays attention to the small details, because it’s a small detail that can lead to a big problem, they need to be decent negotiators and they have to be humble, recognizing that as vital as their job is to the success of the organization, they cannot impede the progress of software to drastically, when security becomes to onerous for development teams to get their work done then there’s a problem.
The security engineer has to be an out going individual, a person whom has no problem speaking up and speaking out, this is an essential skill because they ever need to be ready to give a presentation, teach, their fellow colleagues about security issues, best practices, what’s trending in the industry, best solutions to a particular problem.
Qualifications of a Security Engineer
Throughout the definition of what a security engineer was, there was a careful avoidance made to make any reference to they are a developer, a manager, an architect, a CISSP, a CLSSP, a quality assurance individual, a PM, PGM, CISO. The reason being, is they could all be a security engineer or none of them. I know folks who’ve achieved a CISSP as part of a job requirement, and they don’t know or have anything to do with security they have not maintained their knowledge or their certification. I know QA engineers whom are very dedicated to security and quite proficient at what they do.
An emerging trend at least in Canada, and therefore it stands to reason in North America, is that organizations are waking up to a real need for security individuals, yet a lot of post secondary institutions while they offer courses in security do not offer yet a discipline in security. This trend will eventually even itself out when academic institutions catch up to the needs of industry often there is dialogue about the qualification industry expects potential employment candidates to graduate with. However for at least the immediate future security engineers will continue to rise out of the job categories mentioned above and that is quite okay.
A security engineer is more of a specialization on any of the job categories mentioned above. Security is a symbiotic specialization with whatever field the security engineer emerges from, thereby being good at one makes you better at the other. To get started and moving in the direction of becoming a security engineer, I would argue there are very little technically, specialized skills or qualifications required, and the majority of the skills required for being an effective security engineer are defined “soft skills” mentioned above in what is a security engineer. However I would be seriously remiss if I did not talk about the technical skills needed to be a security engineer, my premise here is basically that anyone can become a security engineer from any field in technology & so long as they have the soft skills and are willing to work on continuing to develop them while working on the technical skills.
Security Engineer – Technical Skills
While there is no hard and defined, rule whereby a certain educational background predisposes an individual to being a security engineer. I would argue that having a strong development background in software certainly helps. I would further argue that a strong development background best positions an individual to specialize in security. The reason being is that once in a security role there is often times an endless amount of code that a security engineer – can justifiably write. I continue to write code, to demonstrate exploits against production code. It’s a lot easier to hand an application to a development team and say “Run this, if you get this output you’ve got a security issue still” rather then having to write 20 steps to reproduce the bug in a bug tracking system and hope the developers do each step the same way I did.
Coming from a strong development background I can very quickly look at code, be it during a code review, static code analysis, or a testing phase and understand what the code does, where the potential for security bugs are, at which point I can either go back to the development team and say there is a bug, or exploit it.
Being able to learn new how to use new tools and code in those new tools. Python is an excellent language for performing security test cases, or automation in. A strong development background leads to being able to pick up and write code in these new languages quickly and efficiently. A development background is makes it easier to code up a Proof of concept for teaching, or demoing security features. new ideas or Security Design Patterns. All in All, whether the individual perusing a security engineering role or developing into one comes from a development background or not, it doesn’t matter so long as they’re willing to learn how to code. Writing code is an essential skill for a security engineer and a first skill in the skill set needed.
The next essential skill for a security engineer is penetration testing, learning how to do effective penetration testing is vital, because would be attackers are doing their own penetration testing. Yes a development background can help here, however there are a number of tools, and utilities that can also be employed. Not many post secondary institutions teach penetration testing and they should. There are a number of places, courses, online etc where an individual can learn how to be an effective pen tester. This includes, active/passive analysis, network recon, server discovery and analysis, banner grabbing etc.
After coding and penetration testing, the next essential technical skill for a security engineer is threat modeling knowing where you’re threats are before, during, after, development and after release is critical. Threat modeling is a secret weapon because it provides advanced intelligence to the security engineer that would be attackers need to find on their own. If you know where you’re weaknesses are, well then you’ve got an opportunity to address them by securing the weakest link first potentially with a Security Design Pattern before you’re attacked. Becoming an effective threat modeler is vital to your success. If you’re unaware of how to perform threat modeling there a numerous books. I would recommend. Threat Modeling – Designing for Security By Adam Shostack.
The next important technical skill, is designing good software, learn to design software well, learn things like security design patterns, so that you can best advise the developers and development teams. If you’re unsure or have never designed software find an architect mentor to work with you and help you make good decisions, and advice, you’ll pick it up soon enough.
Learning, learning learning, is an essential skill of any security engineer, you must constantly be learning. I try to read a new book every two weeks, attend web seminars when I can. Software is constantly in a state of flex, technology is always changing and that opens the doors to new security problems everyday, you must be willing to learn and work hard at learning, to keep up in the field and the technologies development teams are working on and in. I one time made the mistake of thinking that security would be easy. However it an effective career in security comes with a lot of overhead around learning and staying sharp to keep up your game.
Other skills like peach fuzzing, fuzzing, etc these are important skills as well, but of lessor importance to the ones I’ve mentioned. as you pick up major skills you’ll also pick up the minor less important skills to help you along the way. There is a whole world of tools that are available to assist you along your way learn them, learn how to use them, and become proficient at using tools. Remember that a tool, is that it’s a tool and it’s software, a tool can never replace the value of the human mind, a tool is only as good as the human mind using it.
Armed For Battle – The Kit
As I come to a close I thought I’d share with you what I believe the essential kit of any security engineer is. There are a whole whack of tools, and I cannot possibly mention them all here. Some are good, some are bad, however this is the essential list & the list that any security engineer should aim to learn, understand and know the best.
- Kali Linux & toolkit
- Burp Suite
- Microsoft’s Threat Modeling Tool
- Some Kind of Static Code analysis
- OWASP Website and Resources
- Samurai Web Testing Framework
- Microsoft’s Security Development Lifecycle Framework