2

Let's say that you want to hire a developer to deal with a part of a project in which you don't have any expertise.

How can you have confidence that he knows what he's doing since you have no idea what he's doing?

I know that the question might be reduced to "How to trust your developer" but I find the security aspect of it way more complicated because it's impossible to attest what is secure or not. For other things, you can quickly look at what the developer produced and you get an idea of his skills. But, for the security aspect, what do you look at?

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • 2
    There are certs to show they at least know the concepts. When it comes to any kind of development, though, the proof is in the testing ... That's why we pay QA the big bucks. – schroeder Dec 06 '16 at 21:51
  • 4
    This question is not security-related. When you think about it, the question is "how do you hire someone to do a job you're not better at than he is". And that could be anything – Security Engineer, a physician, an accountant, a tax adviser, a CEO… – Marcus Müller Dec 06 '16 at 22:25
  • 1
    If the developer did not claim to be competent in security, then it's on you to train them. Get them certified. Knowing concepts is not enough: get them actual real-world examples, and have them trained. If you have an in-house Application Security Engineer, you can have them develop that training package. – Mark Buffalo Dec 07 '16 at 00:00
  • Are there developer security certs available? Most I've seen are geared towards IT and not software development. Are you suggesting that developers get IT certs/training? While the question may be a little obtuse, I think it isn't something that is currently addressed adequately. Are there security frameworks for developers? I apologize if this is a newbie question. – Ijustpressbuttons Dec 07 '16 at 16:21

1 Answers1

2

To trust someone, you need to establish a basis for trust. That might be knowing about past work, questioning them about their ideology and morals and so on. There is no easy route to trust.

To trust their professional skills is no different. Have they done similar work? Who recommends them? How do they act online and in the real world? Do they exhibit qualities of trust everywhere? Do they have a track record?

But there is a slightly different question that would be a much better one for this forum.

"How can I trust code that a developer has written if I don't understand it?"

Again, there are no magic bullets but there are things you can do to reduce any risks:

  • Do you trust the person? e.g. the first question. If they have a track record of trust, that's a good sign.

  • Make an attempt to understand the code - well written code will be modular and it should be relatively easy to understand when read, even by non-programmers - if it is important and you really have nobody available to make sense of it, get someone in.

    Incidentally, if someone has written code for you and it is incomprehensible then there is a pretty good likelihood that they've done a bad job.

  • Use tools to analyse the code for common errors and flaws.

You should also be making sure that you specify the requirements correctly. If your spec to any programmer doesn't make clear what quality criteria you need - regarding security, readability and documentation for example - you only have yourself to blame if it all goes horribly wrong.

Julian Knight
  • 7,092
  • 17
  • 23