Becoming a Security-Focused Software Engineer

Becoming a Security-Focused Software Engineer October 9th, 2017, by Matthew Setter

There comes a time in your life when you have to look yourself in the eye and decide that you're going to stand for something in your career, that you're going to make it mean something. Today, I've made that choice!

That does sound rather grandiose. And perhaps it is. But for some time, I've had this niggling feeling that I just had to take a good, long, hard look at where I was taking my career.

Why Did I Move Away From Software Engineering?

To put this into perspective, for almost my entire career as a software developer (I started professionally in 1999) I've suffered from impostor syndrome. Where it originated from, I'm not entirely sure. I have some ideas, but they're not conclusive.

What I do know is that I've always doubted my place as a software developer. Try as I might, I've never been able to shake it. Sadly, the longer I continued as a developer, and the more I tried to disavow myself of these doubts, the more substantial they became.

It gets even sadder as over the years I've loved writing code, and creating different kinds of tools and apps. I'll never forget the sheer joy and satisfaction I had when I wrote my first Java networking app back around 1997. And I'll never forget when I wrote a Gnome desktop app — as humble as it was.

But these were all in my private time. They weren't paid work. That's worth mentioning, as in my private time it never mattered what I wrote, what language it was, and how large or small the app was. No-one would, likely, ever see the app or the code, so how could I be called out as a fraud?

When I coded professionally, however, with others who I always assumed (by default) were naturally far more experienced and capable than I was, it was a different story.

To be fair, like most every developer I know, I've written some rubbish code over the years. But instead of letting my demons grow, like some mentors of mine, I could have taken these mistakes on the chin, figured out where I had gone wrong, learned from the experiences, and moved on!

Sadly, I didn't do that

So much so that, after I worked for a small company here in Nuremberg (Germany), I almost walked away from software development completely. To be honest, the only polite way to describe it was a "soul-sucking" experience.

That experience, largely based on my interpretation of it, nearly resulted in me never touching a line of code again. Consequently, afterward, I made a sharp right turn into full-time technical writing, and away from code.

And for a while (about two years) it worked out pretty well. But little by little, a voice grew louder in my head. It started as a gentle, soft voice, inquiring if I wanted to walk (read run) away from writing software. It pointed out where I was in the right, and they were at fault. It also reminded me that I had made mistakes as well.

As the months wore on, the voice grew louder and louder and louder (no, I'm not losing my mind). Then, as a stroke of luck may have it, I was talking with my father-in-law a few months ago. With only a little prodding, he began sharing his insatiable enthusiasm for all things computer security and online privacy.

He's a retired electrical engineer, who's worked with computers for decades. So I'm not surprised.

He kept saying that security and privacy where the career paths of the future and that they would never be dull. Perhaps he saw that I was searching for something. Perhaps it was coincidental timing. Regardless, the seed had been planted, and it grew and grew and grew.

I thought about what he was saying for several months and realised that my time away from code had to come to an end and that I wanted back into the game.

However, this revived enthusiasm came with some parameters. I don't aspire to be a manager or a team lead. I just want to write code.

So I'm stating my decision here publicly, today, that that is what I'm doing. No wishy-washy intentions, just a clear decision to act.

What Does This Mean for Technical Writing?

That's a good question, but one that's pretty straight-forward to answer. I'm still going to be doing it for the time being. I'm not a believer in abruptly changing tack — especially not when I have a wife and two young children to think about and care for.

Instead, over the coming months, I'll be progressively shifting away from technical writing as the mainstay of my work, and increasingly picking up more software development work.

I will still be writing for several sites, including Codeship, Sqreen, and ownCloud, as they are fantastic platforms to share what I know about software and security, to teach others and help them grow, and just to be nerdy.

But writing is no longer my primary focus!

Why Software Engineering With a Security Focus?

I've already, at least partially, answered that question. Let's dive deeper. Specifically, it's for three reasons.

Cyber-Security Spending is Unbelievable

I was researching an upcoming article for Sqreen recently, and a number leaped out at me — nearly running me over on the way past. 6 trillion USD.

That's not a typo. It's expected that by 2021, cybercrime damages will cost the world 6 trillion dollars USD.

That's $6,000,000,000,000. Just look at all those zeroes for a moment. Can you even comprehend that amount of money?

I'm not obsessing over money. However, I am obsessing (somewhat) over the sheer intensity, energy, and further growth in the security field which that kind of spending will precipitate.

If you ever wanted to be certain that investing in a given career path would be worthwhile, I don't know any surer way of knowing.

Civil Liberties, Privacy, and Anonymity are Under Threat

If you're not aware, I'm Australian. And, similar to the United Kingdom, and the United States, over the last few decades successive Australian governments have increasingly sought to erode civil liberties, privacy, and anonymity.

One of the best examples is the introduction of data retention laws. — by what can only be described as a clearly uninformed Attorney General, George Brandis:

To quote The Conversation:

The law requires telecommunications companies to store customer metadata for at least two years. Metadata from our phone calls, text messages, emails, and internet activity is now tracked by the government and accessible by intelligence and law enforcement agencies.

These measures are always justified under the guise of "protecting the population from terrorism". However, continued research doesn't bear this out.

Nor do statistics on the causes of death show that terrorism is anywhere near the top reason. Take the following causes of death, during the period 2003 - 2012:

  • Suicide: 22,800
  • Car Accidents: 8500
  • Homicide: 2617
  • Domestic Violence: 700 - 1,000
  • Exposure to cold: 80
  • Terrorism: 3

Governments continue to spend at increasing levels and encroach further and further on civil liberties and privacy.

I don't accept it! I don't accept the notion that I have to tolerate increasing incursions into and limitations of my personal privacy, liberty, and freedom, in return for a notion of security — especially one with little actual assurances of its efficacy nor necessity.

I Don't Want to Be a Victim of a Security Breach (I Value My Privacy)

As I've been researching and writing articles for Sqreen, and others, it's become painfully clear that not only are security breaches a real and present danger, they're only likely to get worse.

Take the recent admission by Yahoo! that all of its 3 billion user accounts were hacked in 2013. Then there's the continually unfolding Equifax breach debacle. I'll just say that I'm glad that I'm not an American, nor living & working there at the moment.

There are a significant number of other examples, such as Adult Friend Finder, Ashley Madison, and Comelec.

That I know of, I've not been caught up in anything more than a minor way so far. But even that level is enough to motivate me to learn as much as I can.

I Want to Write Secure Apps

I don't want to create apps, only to have them abused, defaced, or corrupted by others, regardless of whether their motivations are fun or profit. I value my reputation. I've worked hard to build it into what it is today.

How quickly would that reputation be shredded if the code that I wrote, or was involved in, was the root cause of an application being hacked? How worse still would it be if that breach lead to data being made accessible to people who should never have access to it?

And when groups such as OWASP freely publish information, such as the OWASP Top 10, that details the top attacks and what to do to protect yourself against them, you can't say that you didn't know.

That (and a few more reasons) Are Why

For these reasons, security has become my main focus, with privacy and privacy advocacy a close second. I know that I have a lot to learn, but that's ok. It's quite exciting.

It's not only teenagers and twenty-somethings that should have the opportunity to start over, to begin again. Those of us who are a generation older have that opportunity too!

Unlike how I started off, at the beginning of the article, I'm almost relishing the fact that I have to dig in and learn. What a green-field experience it is. Oh, the books, blogs, and sites I can look forward to reading. Oh, the podcasts I can look forward to devouring.

It's a nerd's paradise!

How Will the Transition Happen?

Now there's a good question. Unlike what you might be thinking, I'm planning to take this one step at a time. I'm not making proclamations of dramatically changing how I work or act, of taking massive action, or of making significant changes from this moment onward.

That's as effective as a New Year's Resolution. It would last for about a week, if that, and then it'd be over.

Instead, I'm putting a plan together, and here's what I have so far:

  • Build up a solid security-focused RSS feed
  • Build a collated collection of security-focused podcasts (you have to know that SecurityNow's at the top of the list)
  • Build a collated collection of security-focused blogs (some of these include Krebs on Security, Schneier on Security, and Troy Hunt).
  • Find a good list of security-focused books
  • Renew my PluralSight subscription and work through as many security-focused courses as possible, over the next 12 months.
  • Continue writing with a security focus for Sqreen and Codeship.

There is loads more that I can do. But I see this as a good start.

In Conclusion

At the tender age of 41, I'm rebooting my (software) career, as a security-focused software engineer and privacy advocate. I don't expect it to be easy, but I do expect it to be a fascinating and rewarding experience. There's so much to do, which I'll be regularly blogging about. But here, at the beginning, is a perfect place to start.

Like That?

Don’t miss my next post. Drop your email in the box below, and get it straight to your inbox, PLUS exclusive content only available by email. No spam, and you can unsubscribe at any time.