Though the need for security isn’t going away, the talent to implement and maintain strategies and tools isn’t there. According to the 2011(ISC)2 Global Information Security Workforce Study, “a clear skills gap exists that jeopardizes professionals ability to protect organizations in the near future.” A growing job focus – if not a whole new job type – among security engineers is application security. Why the need? Consider this common scenario:
Web development teams with HR to develop a password-protected website that places the entire staff’s personal and professional information online. That way employees can log in to check vacation days, salary history, employee reviews, and the like. The data includes social security numbers, addresses, birthdates and more.
Meanwhile, tech operations and the application engineers build online access to the desktop so users can see their applications anywhere. The recent RSA key compromise allows third parties to sidestep RSA, bully their way past the Windows password, and access the network. Once there, they enjoy low level security because developers typically don’t write security for intranets. “Developers often don’t understand the security standards and requirements that need to be addressed in developing software,” Richard Tychansky, an information assurance engineer, told Gov Info Security.
Traditionally, engineers who focus on security and people who write code don’t work together. Until now there hasn’t been a pressing need. So engineers with risk management AND development are finding opportunities teaching other developers how to write security into their applications.
With so much demand for developers and a growing expectation that security will be built into software, the developer who understands security will find a world of opportunities.