What does a secure coder do?

[Introduction]

[00:00:04] CS: Welcome to the Infosec Career Video Series. The set of short videos will provide a brief look inside cyber security careers and the experience needed to enter them. Today I'll be speaking to Infosec Skills author John Wagnon about the role of Secure Coder. So let's get into it. Welcome, John.

[00:00:23] JW: Hey, Chris. It's great to be here.

[00:00:24] CS: Great to have you. John, let's start with the basics. Even if the job title might seem obvious, what exactly does a Secure Coder do? What are the day-to-day tasks?

[00:00:34] JW: Yeah. Well, not to state the obvious, but a Secure Coder codes, securely, Chris.

[00:00:37] CS: Yes.

[00:00:38] JW: Now, in fact, not joking aside, I guess, Secure Coding is really just coding. It's software programming, software development. But it's doing that in a secure way. I would just say here right at the start, you should code in a secure way. Maybe you're going to say it differently. You should never write a program that is not secure, right? There are ways to do that and just maybe a couple of points on that.

[00:01:09] CS: Sure.

[00:01:10] JW: The world has changed and continues to change. There's new processes like, you'll see, or you'll hear about these processes like CICD. This is the Continuous Integration Continuous Delivery. So what some companies have done, companies that are moving this direction and a lot of them are with more modern processes and technologies, is that you used to have maybe a software development team that would write some code, one day, and then they would take it over to the quality assurance team. Then the quality assurance team would take some time and they’ll look at it and they were to the security team. Then finally it would reach maybe some testing platform and finally into production where it's live online.

Well, now that whole process has been just compressed into I mean, some companies, I've seen some, some of these are really software or online streaming platforms, that kind of thing or moving code into production literally every few seconds, like new code is moving into production. So that's how fast things are going. Anyway, so that's the world we live in, but, yeah. I guess, maybe another couple of things that I would point out in terms of secure code or what is a coder do. Obviously you need to know computer programing languages, right? Things like C# or Python is really popular.

Go is a really fast really, really cool. Fairly new one, Java, there's things like that that you can get to know. Some companies have teams that will say, “Hey, we need we the certain application. We need a certain thing done.” So then they'll have a software development team that they will have, just on staff and then that team will write the application for that specific company, right? Other companies are like, “Hey, we're just going to write applications.” I'll pick on Instagram or Twitter, or Paypal, or Doordash, or whatever, right?

They actually I mean, if we pick on Instagram, right? They actually write the program, they write the application in Instagram, and then other people come in and use that thing. So they have a team of developers that they're constantly poring over that application, that web based application to write it. They're using languages like what I said, like Python to go and C# and all that. So anyway, the world of a code or a Secure Coder is to create those applications using those different languages, programing languages to do all kinds of crazy things in this world. It's a good place to be.

[00:03:50] CS: Yeah. I was going to say just for my own understanding here, it sounds like, I think when people hear secure coding in a class or becoming a Secure Coder, that they think, well, Instagram has actual coders who are making the Instagram app and then Secure Coders come in afterwards and add the secure, but what you're saying is that it's more of an add on to the concept of coding, right?

[00:04:13] JW: Yes. In fact, there's this other term that you may hear in these circles called the software development lifecycle. If you could think of like from the creation all the way to where one day, we're not using that code anymore. So you'll also hear a term that some people will say, and that is shift left, which you can debate, yeah, hey we want – what does that mean anything or whatnot. But basically, the thing that you're describing as a great point is that maybe historically you would have a team that's like, “Hey, I just want to get this thing working.” Whatever this thing is, we'll pick on Instagram again, right? I just want it to work. I don't care how secure it is. I just need it to whatever. Then you would have the people come in later and say, “Hey, let's make this lock this thing down.” Whatever, but now you want to, when we say shift left, you shift the security conversation to the left, which means earlier in the process or right from the design –

[00:05:07] CS: Left to right development progress. Yeah.

[00:05:09] JW: Correct. Yeah. I mean, if you're looking at a timeline day one and day X, whatever. Let's talk about security even before we even start writing the first bit of code, right? So let's design it into it. Some people have described it as the security is baked into the application, rather than bolted on after as an afterthought, right? So, yeah. I would say certainly today and frankly, this should have been how it was the whole time. If you're a developer, you need to be thinking about the secure coding practices from day one. So it's not a, “Hey, let's come in after and fix it up.” That’s a great point, though.

[00:05:47] CS: Okay. Let's talk about the how to. How does one become a Secure Coder? Are there experiences that they need to become one? Are there education or certifications that move you in this direction?

[00:05:59] JW: Yeah, great question. One, you need to know how to program, right? Those programing languages are talked about whether it's Go or Java or Python or whatever. There’s a bunch of them, I would say pick one if you’re just getting started. Pick one of those. Python is a great one to start with. Go is a really good one. Although frankly, you almost can't go wrong if you'll just pick one to get to know it, right? Then what you could do, you could certainly take online classes. You could sign up for Infosec, right? Learn all kinds of good stuff. But then there's also, one thing I was going to point out is, there's open source projects.

What I mean by open source projects is you got all these companies out there. Mozilla is one of them, for example, although there's stuff like the PANDAS package, there's Visual Studio code, there's a bunch, if you just type in open source project on Google and just say, “Hey, what's out there?” Effectively, what's happened is you got all these companies that have these different software developments going on all over the place. They have said, “Hey, open community, just world community out there.” If you'll pick one of these, then you can just grab it and start working on it. Start creating a solution, right? You can write it in whatever, maybe there's some that they're like, “Hey, you need to write this in Python or Go or whatever.” Maybe there's some that's like, “Hey, if you'll just fix it use whatever language you want.” Then you can submit that into the company and say, “Hey, this is my solution for that open source project. That open source problem that you posted out there.” Right?

Then they would maybe accept that or maybe they would accept part of it, or maybe they'd say, “Hey, you got a couple of problems here. Let's polish that up.” Then you would become a contributor, right? You would become a part, a creator of that project, and that would be awesome. But then that's also something you could take to an employer and say, “Hey, employer, future employer, look at the work I've done.” Right? It's all free. I mean, you have to, of course, use your time and effort to do the project, but it was not worth your time. Anyway, and then and you asked about degrees and certifications.

[00:08:11] CS: Sure.

[00:08:12] JW: Certainly, you could get a degree, I mean there’s computer science, computer engineering, software engineering that kind of stuff that you could totally go and do, of course. There’s other certifications like the Security+ is one certification. CISSP is one, the Certified Ethical Hacker, the CEH. There's other ones, if you're leaning toward the cloud, there's AWS and Azure have different developer and architecture certifications. There's Kubernetes, which that's a that's a whole other conversation. Kubernetes. That’s a whole another conversation with Kubernetes and a different education. There's a lot of different certifications you could get.

I would say, there's no one magic path. There's no one yellow brick road you must follow in order to arrive. You don't have to have a degree, but – it’s not as bad thing if you do, right? –

[00:09:04] CS: There's not necessarily a Secure Coder certification either. When you're taking the Secure Coder path here and infosec skills, what you're getting is a set of principles.

[00:09:16] JW: That's exactly, right.

[00:09:19] CS: Yeah.

[00:09:19] JW: In fact, yeah, some people – so yeah, to your point, you're not going to go out to the ISC squared, or the top TNR, or whatever and say, you need to secure a coder path. That's not necessarily a thing right now, but it's more of a set of practices, a set of principles that you would employ, that you would use as you write code, right?

[00:09:39] CS: Right.

[00:09:40] JW: So that's exactly right. Great point.

[00:09:43] CS: Okay. I guess, my question here is what skills does a Secure Coder need to do their job well, but I, I guess the larger question is what skills does a coder need to do their job well? I've always been absolutely terrified of the idea of ever having to do app development or coding or whatever. So what are the hard and soft skills that you need? What is the disposition of people who do this stuff well? Where are the leaders coming from?

[00:10:13] JW: Yeah, no, that's a great question, that's a great question. You mentioned hard and soft skills. I would say both. We'll start with the soft skills. I think you’re good, I don’t care what job you have. If you're a coder or if you're, whatever, right. You need to work well with people. You need to work well on a team. Most of the time, if you're a software developer, you're going to be part of a team whether you're the leader of that team or maybe you're just one of the workers on that team, whatever. But very typically, regardless of what application you're developing or you're creating, you're going to be part of the team. So the powers that you’re going to set, hey, we need this thing.

Inevitably people have opinions. In the IT world, people can have very strong opinions. So there may be some or maybe a little bit of internal infighting there. It's like no, we really have to do this thing. No, this thing is bad or whatever, right? So you need be able to resolve conflict or at least be able to work in that environment where there may be some conflict that arises that how are you going to handle that? How are you going to help with that, right? So those are very good skills to have. But then, of course, you need the technical skills of the programing languages like we just talked about. You need to know how those work. You can't just be a great people, person and be like, “Okay, man, I'm going to create the application.”

[00:11:31] CS: Yeah.

[00:11:31] JW: No, you got to know how to write the code. So writing the code is very important. going back to that open source idea or whatever it is or maybe you can show different things, projects you've done, if you've taken online classes or whatever, but just to build that knowledge of how to write, how they write code, so you absolutely need to have that. Then I would also mention this is how more of a soft skill as well, but just a curiosity about the job. So I think that that definitely helps many people I've talked to, just in my circles have said, the curiosity of like, “How does this work? Or What if I did that? Or what's the art of the possible if I were to try this little thing or whatever.”

[00:12:13] CS: Yeah.

[00:12:13] JW: I think that is absolutely, that would, I would say it's essential, but it's a really good thing to have in terms of what do you need to do or what do you need to have to do your job well. So those are a few things I would mention.

[00:12:27] CS: I love it. What are some common tools, electronic or otherwise, that Secure Coders use? I mean, I'm assuming obviously you have to know the platforms, but are there any secure coding, specific tracking tools, testing tools or anything like that, that you know about?

[00:12:40] JW: Absolutely. Yeah. There's a whole bunch, I mean, if you can imagine if I were building a house or whatever, what tools do I need? Do I need a saw, a screwdriver and a hammer, whatever? So there's a thousand tools out there to help you do your job well, but certainly the programing languages that we talked about, that's one of the just basic tools that you need.

[00:13:00] CS: Sure.

[00:13:01] JW: On top of that, it's like, how do I use this thing? I ain’t sitting here and write a few lines of code. There are, and you mentioned this or we alluded to this before. There are some different standards, some security standards that have been written out there. A couple of examples are the OWASP has a secure framework that's called the Application Security Verification and Standard, the ASVS. That's a really good standard that you could use that says, “Hey, when you write code, these are things you need to think about or that you need to employ as you write that code.” So ASVS is really good.

The NIST's, the US Government NIST's organization has one called the Secure Software Development Framework. The SSDF, that's another good one, you could utilize as you write your code, right? Again, these are guides, these are standards that as you are writing the code, this is telling you, hey, do this, don't do that, of idea, so that you're not introducing vulnerabilities as you write the code right. A few others that I would just throw out there, I mean we could spend hours on each one of these.

[00:14:04] CS: Of course. Yeah.

[00:14:05] JW: Just to give awareness. There's those CICD, you remember I was talking about this continuous delivery the continuous idea that these codes may put into production all the time. There's a lot of tools that are used around that, because it's like hey, how in the world that I let that happen?

[00:14:22] CS: Yeah.

[00:14:23] JW: There are some popular repositories like GitHub and GitLab. Those are a couple of different ones. Jenkins is a really good, really popular tool that you'll hear about. VS Code is a tool that you can use as you're writing your code. It's just really cool. It makes all the text line up and makes it color coded and it just makes a really nice and neat, so that's really cool. In VS Code, there’s a whole lot of stuff. Another thing to throw out there is project tracking tools like JIRA is a popular one. You can imagine if you've got a team writing an application, writing code and they say, “Hey, I just made this little update. What version are we on now?” Right? I don’t know.

[00:15:08] CS: Yeah, yeah.

[00:15:10] JW: It's everybody's doing their little piece and part. “Man, how do you keep that version control?” So some of that JIRA project tracking does that –

[00:15:19] CS: Also hoping that you have a really good project manager on your team.

[00:15:22] JW: Yes. That's another one of those career paths that you can say. That's exactly right.

[00:15:27] CS: For sure.

[00:15:28] JW: Then I would mention to just generally speaking, API development. So the Application Programing Interface, the APIs are keying today. So you got restful APIs, you've got all the older school, like soap version of APIs. Anyway, API development is another area that if you just wanted to dip your toe in that you would, man, there's all kinds of opportunities. Then from security things, a couple that I would mention just, obviously you need to develop in a secure way as you're writing the code, but then you can come in after the fact and just make sure like, “Hey, let me test this thing, let me run it through some a testing tool.”

There's Dynamic and Static Application Security Testing, DAST and SAST tools that can help you with security testing. So it's like, “Hey, let me come interrogate your code and see if it's actually secure.” So those are those are a couple of things that I would, I know that was a laundry list there that I mentioned –

[00:16:26] CS: Yeah. No, no.

[00:16:27] JW: Those are tools that you'll hear about or that you would use in your job, right?

[00:16:32] CS: Yeah. I think that ties into with like you said, the open source GitHub type thing of, I think a lot of this apart from learning basic principles. One of the things I think is going to be very interesting about this to our listeners is that they can work at this at their own speed without someone looking over their shoulder and their job being on the line if they don't get this right. You can just sit there all night if you need to and just tinker and tinker and tinker until you see like, “Oh, I figured it out.” I think that's probably pretty exciting. Moving on from that. Sorry. What are some other roles you can move into from a Secure Coder? What's the mobility like in those? What are some common pivot points from this type of coding into other areas of security?

[00:17:20] JW: Yeah, absolutely. The whole cyber security world, call what you will, just this whole security world in the computer space is a massive place and there's so many different opportunities available. So a software developer is in high demand today. There's no doubt about it. If anybody is looking for a job and wants to get into that, I mean, you'll get hired. Don't hold me to that, but I bet you get hired pretty quick. Then if you start out, let's say you start out, you do a couple of open source projects and you're getting good at coding a little bit. You get hired on. Then from there talked about a lot of times you work in a team, so maybe you'll get all the way up and you'll be the team leader of that development team, right? So that's one place.

Then you can start to move laterally in different organizations or just around the space and start to say, “Hey, maybe I want to do some of the testing, maybe I want to do pin testing, penetration testing. I've got a good background in coding and application development.”

[00:18:22] CS: Yeah.

[00:18:22] JW: Now if I come in as a pin tester, I’ll probably going to know. “Hey, this is how you wrote that code. So I'm going to try to poke holes in it.” Right?

[00:18:29] CS: If you know where the vulnerabilities are. Yeah, exactly.

[00:18:32] JW: That's it. That's it. Exactly, right. So anyway, and then you could start to get into more of the design. That would be another place like some security architect roles or solution developer roles, that kind of thing, where you're starting to take a step back and say, “Okay, hey, as an organization, we're going to put this application in some location.” It's going to be cloud based, or maybe it's on prem and some data center. Maybe it's a hybrid approach or whatever, right? Public-private cloud, who knows, right? So maybe you step into a role where you're starting to look at that. Okay, I know how this application was built. I know what was used to build it. Now I'm going to help guide this organization on where it needs to be placed or what the infrastructure needs to look like, right?

Those would be maybe a few different places to go. But again, there are hundreds, maybe probably thousands of different places you could go in this role. I mean, once you're in that world, especially if you do a good job. Then I mean, I think it's the sky's the limit. Your employer is probably going to be like, “Hey, we have this massive need and you're an awesome employee. Will you come do this thing, too.” I think you probably, if you do a really good job, you may find yourself in a position where you're like, “Man, I can't possibly take all these jobs.” Just wonder or what? It's a good place.

[00:19:51] CS: Well, as we wrap up here today, for our listeners who are ready to get started in secure coding, what's something they can do right after they turn off this video that will move them towards that goal?

[00:20:00] JW: Yeah. I would say if you don't know a programing language, go start to dig into that. Google Python, Go, C#, Java, whatever, and just start to learn the language, right? Also, look for those open source projects and pick one that's a low hanging fruit, maybe that easy, easy one that you could get some experience with. Then I think that would put you on that launchpad to greatness. So that would be a good place to start.

[00:20:27] CS: Beautiful. John Wagnon, thank you so much for your time and insights today. Thank you.

[00:20:31] JW: Thank you so much, Chris.

[00:20:33] CS: My pleasure. Thank you all for watching this mini episode. If you'd like to know more about other cyber security job roles, please check out the rest in Infosec Career Video series. Until then, we'll see you soon.

[END]