Last time, I wrote about how an organization can get started with software security. Today I will look at how to do that as an individual.
From Development To Secure Development
As a developer, I wasn’t always aware of the security implications of my actions. Now that I’m the Engineering Security Champion for my project, I have to be. It wasn’t an easy transition. The security field is vast and I keep learning something new almost every day. I read a number of books on security, some of which I reviewed on this site.
As an aspiring software craftsman, I realize that personal efforts are only half the story. The other half is the community of professionals.
Secure Development Communities
I’m lucky to work in a big organization, where such a community already exist.
EMC’s Product Security Office (PSO) provides me with a personal security adviser, maintains a security-related wiki, and operates a space on our internal collaboration environment.
If your organization doesn’t have something like our PSO, you can look elsewhere. (And if it does, you should look outside too!) OWASP is a great place to start. They actually have three sub-communities, one of which is for Builders.
But it’s also good to look at the other sub-communities, since they’re all related. Looking at things from the perspective of the others can be quite enlightening. That’s also why it’s a good idea to attend a security conference, if you can. OWASP holds annual AppSec conferences in three geos. The RSA Conference is another good place to meet your peers.
Contributing To The Community
So far I’ve talked about taking in information, but you shouldn’t forget to share your personal experiences as well. You may think you know very little yet, but even then it’s valuable to share. It helps to organize your thoughts, which is crucial when learning and you may find you’ll gain insights from comments that readers leave as well.
More to the point, there are many others out there that are getting started and who would benefit from seeing they are not alone.
There are other ways to contribute as well. You could join or start an OWASP chapter, for instance.
What Do You Think?
How did you get started with software security? How do you keep up with the field? What communities are you part of? Please leave a comment.
Vulnerabilities in web applications are now the largest vector of enterprise security attacks.
Stories about exploits that compromise sensitive data frequently mention culprits such as cross-site scripting, SQL injection, and buffer overflow. Vulnerabilities like these fall often outside the traditional expertise of network security managers.