3

I've noticed that certifications seem to be a big part of the IT Security Professional (non-development), but have not seen the same attention being given/required of the software development engineer that focuses on application security or building security software.

Am I wrong, and just not seeing it? Or is it true that security certifications aren't as much needed for devs vs general it professional (network engineers, admins, etc)?

I guess ultimately my question is, will certifications be required for a software development engineer that specializes in software security, SDLC, mostly application security (with some/little hints of network security)?

schroeder
  • 123,438
  • 55
  • 284
  • 319
danutz_plusplus
  • 61
  • 1
  • 6

2 Answers2

3

There are not many security certifications for developers. The simple reason is that there would have to be certs for every language and trend. And considering that trends swing wildly from year to year, there is not enough time to develop a robust security certification that will not be laughed at while the trend is still relevant.

Dev communities opt for calling secure libraries, on-the-job training around secure coding, and testing.

There are general secure coding certs, but they are so general that few people take them seriously.

This is a situation that is not going to change while the innovation cycle in software development is so tight.

IT/Networking pros have a much more stable environment to work in, so the certifications have a chance to grow and mature. Firewalls are firewalls, the only change from situation to situation is the syntax. Phishing is phishing and the hallmarks, how to identify, how to block, and how to educate users has not changed in years.

Could the IT end of things have a much tighter innovation cycle? Yes. But we have been working for so many years to get the basics right, that there is little need for attackers or defenders to innovate. So, the common body of knowledge remains stable, making it possible to certify against that common body of knowledge.

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

In my experience, true programmers laugh at certifications (most of the time for good reason). They care much more about the projects you have worked on.

Some jobs and companies value industry certificates much higher than others. Many companies really just use it as a check box to weed out applications for jobs. There are many certifications out there so I believe it's really difficult to say x is better than y.

But, in general it helps to have certifications such as a CISSP in the information security realm. This certification is usually desired by employers. There are other certifications for information security but this is just a example. I would look at the current job market and try to see what the majority of companies want. It is very tough to say whether they will be "required" but I would say no. In summary, valuable certificates only increase your value and help you get your foot in the door in the software/information security industry.

pm1391
  • 1,427
  • 2
  • 7
  • 19
  • Thanks for the input. Actually, I was asking about the developer that focuses on app security, not about the general IT security person. I'm aware that the general IT person is required to have loads of certifications, but I've not heard the same for devs. So I was wondering if I missed something. Thanks – danutz_plusplus Mar 25 '18 at 14:25
  • I see, I edited my answer. But the top remains true. Most of the developers/programmers I've worked with want to see what you have done in projects and the results. They couldn't care less that you studied for a test and passed – pm1391 Mar 25 '18 at 15:00
  • Yeah, that's been my experience as well, but was wondering how the environment is vs what I've heard for IT/Network Security in general. I'm guessing that if your responsability is writing secure code or actually writing security apps, there's not so much need to prove via a test what you've obviously proven by actually writing code. Thanks for the discussion again – danutz_plusplus Mar 25 '18 at 15:33