This is what you need to know if you want to become a Security Software Engineer
Introduction
One of the most common questions that I receive when I teach some of my co-workers and students about security is “Where do I start?”, “What are the areas that I can work in the security field”, “Do I need a bachelor’s degree?”. Well, this is going to be a very personal post, answering all the questions that I’ve been asked, everything that I’m going to share is 100% from my experience, based on the analysis that I’ve been doing of the Security Engineering Market and the Place that you are located.
Before start let me introduce my self… I’m not good at it and I do not want to share too much PII (Personal Identifiable Information). My name is Josue Carvajal, and I’m a Senior Security Software engineer that has been in this field for the past 4 years. I do have a bachelor’s degree in computer science and I’m a certified Ethical Hacker (CEH) and Security+ from CompTIA.
If you want to know how do I went from 0 knowledge on Security to get my first Security Job until I’ve become a Senior Security Engineer, please read the Summary of my Journey, if not, you can skip to the Where do I start? section.
Brief overview of my journey
The problem of Universities in my country (Or most of them).
You may wondering if I did received a security approach while I was studying computer since, and the short answer for this is: NO. But let me elaborate a little bit more on it.
During those 4 years of University it was purely focused in Development, Project Management, good practices and testing. The goal was to get the things done and make sure it was not going to break, even though it was not properly secure.
What really matters!
As you can see, I did not receive any security training during my time in the university until I took a formal summer class called “Security Concepts — Advanced Course” and I was fascinated! Our teacher showed us how he got access to an android device and access the camera! This was the start of my journey! And thanks to this I was able to get my first job as a Security Java Developer in which I was able to move to another position called Security Escalation Engineer at ArcSight, Microfocus.
So why I’m sharing this? Well, you do not really need a bachelor’s degree for some security areas BUT it is a big advantage in your professional growth since the higher the position, the higher the responsibilities and background you need. As you can see I want you to know that you do not need to have any kind of certification to get your first job in this area, if you are able to show the interest and expertise you are going to nail it! But make sure to keep learning since it will allow you to get better positions and a better salary!
Identifying the right path to follow!
During my time at ArcSight, I’ve learned a lot about SIEMS, Collectors, Security devices, Networking, Operative Systems but I wanted to learn more! I knew I was good at Linux, Bash, and solving complex problems, so, I started attending different webinars to know “How to Start” and started building my own path! At this point I’ve started to obtain security certifications and follow the goal that I wanted: to become a DevSecOps engineer and some day work in another country, maybe Canada, New Zeland, USA. I do not know, I feel good when I think on it (I’m currently located in Costa Rica) Hopefully some day...
As you can see I knew what I wanted, but this was not an easy decision, it took me a couple of years to realize where I wanted to put effort, so don’t feel bad if you do not know yet! Keep exploring, at the end you will be a better engineer since you might know how the things are done in different areas!
If you do not know the areas of specialization, please keep reading!
Areas of specialization
The same way computer engineering is not only programming, security is not only performing actions that you saw in the Mr. Robot series. There are a wide number of branches that you can follow depending in the areas of your interest and these others generates a bunch of new branches, so do not give up!
Some of those areas are:
- Penetration Testing: I think everyone in the field gets excited about this, Here is purely practical but also requires a lot of knowledge, here you test systems security capabilities in order to report back those vulnerabilities to the blue team, that will fix it to avoid damage of an external threat.
- Security Software Engineer: Most of the common ones, can vary from Application Security to Cloud Security, requires security knowledge depending of the area that you are focusing, some of the duties are: to patch vulnerabilities, to improve the security standpoint of your application, maintain LDAP, etc.
- DevSecOps Engineer: Similar as a DevOps but adding a security layer to the process, we improve the security standpoint from the creation, building and release of the systems in order to quickly fix any vulnerability found. We find ways to secure our SDLC (Secure Development Life Cycle) and helps the developers to improve the security quality of the code.
- Security Analyst: The most common one, usually does not requires bachelor’s degree, can be seen as a “Secure support” in which you work with a SIEM to find IoC (Indicators of Compromise)
As you can see, these are just a summary of those roles that you can find withing the security field, all of them requires at least some type of certification.
Are certifications worth it?
It depends, but in the security field there are highly valued certifications that you need to get more points that your competitors, as I said earlier, the Universities often does not graduate people in security, security is something that you need to learn on your own and the way to probe it is by using highly looked certifications. So yes, they are worth but not all of them, it will depend in the area of specialization that you want to be part of.
What certifications do I need?
I personally recommend the CompTIA Security+ to start getting familiarized with the concepts, the way of thinking and to confirm that you really like this field. BUT here is a cool tool: Security Certification RoadMap that show you, depending of your areas of interested what kind of certifications are good for that position, the price and the link for the official page!
Also, I do recommend to deep dive in LinkedIn and check what types of certifications do the companies are looking for, for the area of specialization that you want to be!
For example: I know that for pen-testing, one of the most valued certification is from OSCP, here you can see the number of job posting that contains that certification for the USA.
And here one for the CISA, for audit.
My two cents
I did a lot of mistakes! I had a lot of frustration, headaches and wanted to quit from this security journey, mostly because I was not finding my next big move, I know it was going to be hard, even though I had offers from IBM, Pfizer & EY from different positions: Incident Responder / Security Correlation Engineer / Penetration tester! Those were not in the DevSecOps area!
Security field is challenging and there are big tech companies trying to find an All-in-one engineer to do from DevSecOps to Pentesting and Incident Management and they want to pay like us like a junior dev! Be careful with those type of companies, red flags can be found easily in the job description!
But even though I knew it was going to be hard, I was able to made it! And if I was able to do it, you are able to do it as well!
With that said, here are some other advises:
- Make sure to identify what are the most common fields of your country: for example, in Costa Rica you can easily get a Security Analyst position with a few certs, but not for penetration testing, there are a few openings and all of them require a lot of certs and a lot of years of experience! Make sure to put the efforts in an area where you can start gaining experience.
- Identify the requirements for the given position: Identify what types of certifications does it requires, years of experience and also if it needs or not a bachelor’s degree (Because if you have one probably you will get underpaid in another security field)
- Schedule & Duties: Make sure if the job description contains “On call Rotation” quote, this means they are rotating working hours! I’ve discarded a lot of positions due to this, security field can easily cause burn out if you are in the hands of those big techs that does not cares about their employees, so make sure to check that carefully and make sure the posting company has good reviews for your contry, this can be found at Glassdoor, so make sure to do this homework before you start! This will save you a lot of headaches
- One step at a time: I’ve seen a lot of people trying to install all the tools at once, paying a lot of subscriptions to “speed up their process”, learning networking, pen testing techniques, and everything at ones, it is not always a good idea, focus in a tool or a specific area, understand how’s that is applicable, how to improve it and how to prevent. And you will boost your knowledge. Interviews are mostly situational so you need to know how to think before just throwing commands or concepts on paper.
Thanks for reading, I hope this will help you to find a clear path in this journey! Just remember everything was from my point of view, so you can disagree with me in some areas. Feel free to add me to your LinkedIn network and rate this post if you like it!
Oh, one last thing: make sure to look forward even if the sun hits you in the face.