Software Dev in security space, where from here?

Scougar · 4 Aug 2021 at 15:16

I'm primarily a java developer for past 15 years or so.
This started with a heavy transaction based role for government.
Then moved to a big etailer that had by the minute price changes for products and heavy reliance on search ability and being able to show the right products.
Now at a legal services company where I recoded the entire login, security flow. Heavy spring boot use, containers, ldaps, db etc.

So, as those in the field know, coding is quite a small part of the process and being able to figure things out connect all the pieces and configure are huge parts of being successful.

Anyway, the question: I want to go even further into the security space, whilst somehow retaining my development skillset and wondering how I can achieve this? What sort of roles should I look for that won't place me in the "tech guy" role. I want to get into cyber security more, but really trying to not lay waste to my 15 years of pro-experience, or find myself in a boring configuration role.

Edit: At present, we are doing (again) a much updated version of our login process to be even more secure, and looking like my coding role will be lessened, and I will get training in the OTS product that is kinda config based. This is not where I want to be going if possible.

FerretBoy · 4 Aug 2021 at 16:30

I'd let the dev skills go, as I have done (software Architect now). It's all about the ability to learn anyhow, technology, principles and practices are always changing.

A move in to cloud security could be fun, lots to learn.

Otherwise maybe consultancy will offer you a challenge.

Scougar · 4 Aug 2021 at 19:06

I feel I'm lacking in the design area, so it's definitely an area I need to go back into. I haven't done any real modelling for years. It's all small stuff design wise. Not sure Architect yet is my thing. I've got no problem learning when it matters.

If I stay with the current company, I'm not sure cloud is the way to go, or at least if we did it would be on-prem cloud. I'll look into it though, and see what we can do. I am sure I could swing something towards the container (RHOS/kubernetes) side of things alongside the security parts.

dowie · 5 Aug 2021 at 02:33

I don't see why you'd need to stop being a developer? Surely just move to a dev role in that field.

Scougar · 5 Aug 2021 at 06:10

Mainly because the corp world seems very silo'd. I don't know if there are specific roles for what I'm asking.

Security Software Developer I guess? lol.

dowie · 5 Aug 2021 at 16:26

I don't see why not. I mean someone needs to build various security-related products and tools used for security-related services for example.

There was a consultant at my old place who moved into a cybersecurity-related consultancy role at another place (he wasn't experienced in security, he's experienced as an implementation consultant), likewise, a friend of mine is a project manager in a security role (which I think is a bit broader than just "cyber"). I know of a data science/ML guy from uni doing cyber security-related work.

I guess it depends what you want to do, I'd presume that for some roles you might need something other than Java mind.

At one end of the scale there must be some ad-hoc dev roles embedded within security-related teams out there? Certainly at a (financial) software vendor I worked at we had developers embedded with both the QA and the software management teams, their roles weren't to work on the product itself but rather the code they wrote either helped automate aspects testing of the product or delivery of it to clients - not exactly complicated stuff but in some cases, a bit more than the average non-developer/techy type can do. I guess aspects of this could fall under DevOps now - perhaps look at some security DevOps roles?

At the other end of the scale, there will presumably be some roles requiring detailed knowledge of operating systems (and their potential flaws), internet architecture etc.. and requiring you to write low-level code.

I guess another thing to look at could be combining the data side of things too - probably reasonably hard to get into as per FAANG type interviews but this firm or maybe something similar could be worth a look: https://en.wikipedia.org/wiki/Palantir_Technologies

Also, check out financial firms - big hedge funds are super paranoid about security for example and have a bunch of IT staff dedicated to it. Banks might be worth a look too etc..

Scougar · 5 Aug 2021 at 16:32

I work for a legal services firm that does work for fortune 500 companies among other things, so security is always high on the agenda.

I just don't want my work to become paperwork/report driven..that would drive me nuts. Lol.

I have buddy that wants me to come work at his bank. Banks are inherently unstable though in regard to staff, so I don't find that particularly appealing.

Ev0 · 5 Aug 2021 at 22:39

Maybe look at something like DevSecOps roles?

https://www.redhat.com/en/topics/devops/what-is-devsecops

Or development roles a security software vendors?

First place I thought to look for examples and these popped up when looking for security + dev roles:

https://careers.ibm.com/job/1353051...stem-security-remote/?codes=IBM_CareerWebSite

https://careers.ibm.com/job/1348527...are-developer-remote/?codes=IBM_CareerWebSite

Scougar · 6 Aug 2021 at 19:06

Good suggestion there Ev0. (and dowie I see you suggested this as well).

I'll take a look into what we have in those roles here at my current place. I already have a very good rep with the operations team etc, so it might be worth my time asking around.