This is what you need to know if you want to become a Security Software Engineer

Introduction

One of the most common questions that I receive when I teach some of my co-workers and students about security is “Where do I start?”, “What are the areas that I can work in the security field”, “Do I need a bachelor’s degree?”. Well, this is going to be a very personal post, answering all the questions that I’ve been asked, everything that I’m going to share is 100% from my experience, based on the analysis that I’ve been doing of the Security Engineering Market and the Place that you are located.

Brief overview of my journey

The problem of Universities in my country (Or most of them).

You may wondering if I did received a security approach while I was studying computer since, and the short answer for this is: NO. But let me elaborate a little bit more on it.

Image #1. Your First Login

What really matters!

As you can see, I did not receive any security training during my time in the university until I took a formal summer class called “Security Concepts — Advanced Course” and I was fascinated! Our teacher showed us how he got access to an android device and access the camera! This was the start of my journey! And thanks to this I was able to get my first job as a Security Java Developer in which I was able to move to another position called Security Escalation Engineer at ArcSight, Microfocus.

Identifying the right path to follow!

During my time at ArcSight, I’ve learned a lot about SIEMS, Collectors, Security devices, Networking, Operative Systems but I wanted to learn more! I knew I was good at Linux, Bash, and solving complex problems, so, I started attending different webinars to know “How to Start” and started building my own path! At this point I’ve started to obtain security certifications and follow the goal that I wanted: to become a DevSecOps engineer and some day work in another country, maybe Canada, New Zeland, USA. I do not know, I feel good when I think on it (I’m currently located in Costa Rica) Hopefully some day...

Areas of specialization

The same way computer engineering is not only programming, security is not only performing actions that you saw in the Mr. Robot series. There are a wide number of branches that you can follow depending in the areas of your interest and these others generates a bunch of new branches, so do not give up!

  • Security Software Engineer: Most of the common ones, can vary from Application Security to Cloud Security, requires security knowledge depending of the area that you are focusing, some of the duties are: to patch vulnerabilities, to improve the security standpoint of your application, maintain LDAP, etc.
  • DevSecOps Engineer: Similar as a DevOps but adding a security layer to the process, we improve the security standpoint from the creation, building and release of the systems in order to quickly fix any vulnerability found. We find ways to secure our SDLC (Secure Development Life Cycle) and helps the developers to improve the security quality of the code.
  • Security Analyst: The most common one, usually does not requires bachelor’s degree, can be seen as a “Secure support” in which you work with a SIEM to find IoC (Indicators of Compromise)

Are certifications worth it?

It depends, but in the security field there are highly valued certifications that you need to get more points that your competitors, as I said earlier, the Universities often does not graduate people in security, security is something that you need to learn on your own and the way to probe it is by using highly looked certifications. So yes, they are worth but not all of them, it will depend in the area of specialization that you want to be part of.

What certifications do I need?

I personally recommend the CompTIA Security+ to start getting familiarized with the concepts, the way of thinking and to confirm that you really like this field. BUT here is a cool tool: Security Certification RoadMap that show you, depending of your areas of interested what kind of certifications are good for that position, the price and the link for the official page!

Image#2. Security Certification Roadmap

My two cents

I did a lot of mistakes! I had a lot of frustration, headaches and wanted to quit from this security journey, mostly because I was not finding my next big move, I know it was going to be hard, even though I had offers from IBM, Pfizer & EY from different positions: Incident Responder / Security Correlation Engineer / Penetration tester! Those were not in the DevSecOps area!

  • Identify the requirements for the given position: Identify what types of certifications does it requires, years of experience and also if it needs or not a bachelor’s degree (Because if you have one probably you will get underpaid in another security field)
  • Schedule & Duties: Make sure if the job description contains “On call Rotation” quote, this means they are rotating working hours! I’ve discarded a lot of positions due to this, security field can easily cause burn out if you are in the hands of those big techs that does not cares about their employees, so make sure to check that carefully and make sure the posting company has good reviews for your contry, this can be found at Glassdoor, so make sure to do this homework before you start! This will save you a lot of headaches
  • One step at a time: I’ve seen a lot of people trying to install all the tools at once, paying a lot of subscriptions to “speed up their process”, learning networking, pen testing techniques, and everything at ones, it is not always a good idea, focus in a tool or a specific area, understand how’s that is applicable, how to improve it and how to prevent. And you will boost your knowledge. Interviews are mostly situational so you need to know how to think before just throwing commands or concepts on paper.

--

--

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Josué Carvajal

Sr. Security software engineer working in the DevSecOps area. CompTIA Sec+, C|EH