I am not a security industry luminary. In fact, prior to WhiteHat I had never worked in security. The closest I came was a consulting project using Perl::Critic for Security Audits in 2012. It was static analysis trying to uncover XSS and SQLi vulnerabilities in large, legacy Perl applications — toy compared to what Eric Sheridan and his team do here at WhiteHat.
I was recruited by WhiteHat in 2012 for my front-end development experience. At that point I considered myself an expert at web development. What I learned here is how much I still have to learn! My first Hacker Kombat was enlightening. Here I am, having built web applications professionally for fifteen years, and in a competition designed to break into web applications I have no skills.
Working at WhiteHat, in the security industry, fundamentally changed my approach to building software. Security is now a front-of-mind aspect of designing software for me. Like many difficult disciplines I had a shallow understanding. I knew a little about threat modeling, vulnerabilities, and attack vectors. I didn’t realize how deep and complex software security was until I was in the middle of it (and I should be completely honest, there is still so much I don’t know). This experience has made me a better engineer, a more well-rounded engineer.
Seek more experiences
Every engineer should have the opportunity to dive deep into security. Keeping an application secure, and its data safe, is a complicated mix of preparation and probability. True appreciation for its difficulty is best accrued through experience. Reading about it isn’t enough. Studying won’t provide the same benefit as lived experience.
LinkedIn founder Reid Hoffman writes about the tour of duty framework for collecting experiences. In his model, if motivated employees “signed up for a 2–4 year tour of duty and made an important contribution to some part of the business, Reid and the company would help advance their careers, preferably in the form of another tour of duty at LinkedIn.” I strongly recommend engineers follow this approach to their career. In the case of LinkedIn it worked well for the company, too. They “got an engaged employee who worked to achieve tangible results for LinkedIn. The employee transformed [their] career by enhancing [their] portfolio of skills and experiences.”
My recommended experiences
Security is only one facet of a well-rounded engineer’s experience. Here are a few areas where I recommend gaining additional experience if you haven’t already:
Work on your user interfaces, or go work for a design company. Building software with a design-first approach will break your brain as a developer. You will gain empathy for the experience of the real people interacting with your creations. You’ll see their pain, and you’ll want to make it better. Further reading on this topic: The User Experience Team of One by Leah Buley.
Working for a consulting agency or being an independent consultant are excellent ways to learn about this. Another method is a tour of duty in field engineering, customer success, or sales engineering. Consulting will train you to ask a lot of questions for greater understanding, avoid over-promising, and how to iterate quickly with customers. Further reading on this topic: The Secrets of Consulting by Gerald M. Weinberg.
The guiding principal behind DevOps is if you build it, you run it. Every engineering team should be able to deploy, manage, and scale their software. Spend some time with your production operations team. Automate something that’s done manually. If your application isn’t yet a 12 factor app this is a great opportunity to attempt to make it cloud ready and run on a platform designed for scale. Further reading on this topic: The Phoenix Project by Gene Kim.
Strive to be well-rounded
As a web application developer the spectre of the full-stack developer is all around me. The pressure to have deep experience in every architectural layer is heavy. This isn’t really possible, and as an industry we’re coming to grips with that. I would recommend we focus, as engineers, on being well-rounded. We ought to attain familiarity and working knowledge of new facets of software development through the procurement of experiences.