1

This is a question more about how the market is for a software engineer with a focus on application and information security, mainly development and software engineering, either of secure practices while developing apps/systems, or of actual security software development (either tools or cryptographic implementations). I've spent some time in this field for the past couple of years, and was wondering about how my future would look like, in it.

One concern of mine is that most of the time spent working in this field seems to be focused on properly using secure libraries/apis and managing/configuring systems, and very little time spent on actual developing custom security protocols using security primitives (crypto libraries/implementation, etc). Most of the time developing custom flows is heavily discouraged, for very good reasons. Unless you're experienced enough, and even then it's a matter of not having enough eyes on your implementations. And I'm not even going to mention implementing crypto libraries which is a huge other can of worms.

But ultimately I see that in order to be fully invested in this field (as an implementer, and not a simple consumer of implementations) you need to be very experienced, but everywhere you hear don't get experience in production systems as it's too risky (as I said, for very good and understandable reasons). So, I'm considering what paths of activity are there in this field. It is really that most of the activity comes down to keeping up to date with best practices and making sure to use proper implementations/configurations)

And the only chance to work as an actual implementer is either in academic circles, and maybe your work will get enough recognition and be reviewed enough that it starts to get acceptation. Or working for really big software companies that truly invest in researching security design and implementations.

So, after this long pre-amble, my question: is it true that most of the time spent in software development with a focus on security comes down to consuming security libraries/implementations, and configuring the use of those. With far less focus on implementing security flows or security primitives? And if you want to focus on actual development, your best chances are either in academia or large companies that are actually invested in research and development.

danutz_plusplus
  • 61
  • 1
  • 6
  • 1
    *"...hope to spark a good discussion about this."* - This is not a discussion forum but a question and answer site. I have problems to find a clear question here and the bit I've found (*"Did I miss anything in my assessment?"*) is broad and answers will be primarily opinion based. Therefore I propose to close this question. – Steffen Ullrich Mar 30 '18 at 08:10
  • Sorry for that Steffen. I've removed that part, and formulated a question at the end. I'm well aware that it's maybe not a good question. – danutz_plusplus Mar 30 '18 at 08:19
  • While the question is more focused now I still find it primarily opinion based (but I've removed my vote to close it). My opinion: I think it is actually a good thing for security if development uses established, well tested and known secure libraries instead of writing own code. But if you work for companies which create security products (instead of just trying to keep there products secure) there is usually still enough new code to develop since common libraries don't cover all the specific use cases. – Steffen Ullrich Mar 30 '18 at 15:55
  • You're very right. I guess the question is also part stream of consciousness about some worries I'm having about continuing in this field. I'm worried about being able to make security work a main activity in my professional life vs it just being something I'm doing on top of actual development, and thus having to split my time/attention in two quite distinct and large areas, without getting the proper compensation. And I mean working/getting paid as a regular developer, but spending quite a bit of my own time in security to also bring that to the table. And also bearing the responsibilities. – danutz_plusplus Mar 30 '18 at 20:58

1 Answers1

1

I consider these kinds of questions (and answers) valuable for reference purposes, so I'll give you some answers:

1. is it true that most of the time spent in software development with a 
focus on security comes down to consuming security libraries and 
implementations, and configuring the use of those, with far less focus 
on implementing security flows or security primitives?

Yes, the vast majority of the industry consumes rather than produces security primitives. (One might say, resulting in the production of more insecurity...)

2. And if you want to focus on actual development, your best chances are 
either in academia or large companies that are actually invested in
research and development.

Sort of. A better dynamic is to look at producer/consumer relationships in the software ecosystem. The specific test isn't necessarily about the size of the company, but about the distinction between what's core and what's ancillary to the company/org mission. A small company focusing on a specific security niche- there are very many of these now- will need to have some deeply skilled talent working on unique primitives. And many large companies that by rights and risk should have security as a productive focus are instead merely consumers, with very large scale problems consuming libraries and managing configuration.

I'll touch on one other aspect- 

And the only chance to work as an actual implementer is either in 
academic circles, and maybe your work will get enough recognition 
and be reviewed enough that it starts to get acceptation. Or working 
for really big software companies that truly invest in researching 
security design and implementations.

Implementation has a LOT of different meanings. Using the term implementation to describe the academic process- work on papers, POCs, getting recognition, reviewed, etc- in my experience, that is not a common use of that term. Typically implementation would mean- writing code, building a system. Academics typically get training and build models; very, very few build working systems in academia.

Re: the meaning of implementation that comprises writing code and building a system- there is a TON of opportunity/need to actually write- and better, READ- security-sensitive code in the open source community. One has only to look at the openssl crisis a few years back to see how desperate the industry was- and still is- for implementation-level contributors and reviewers. There are no structural barriers- just read the code, find problems, submit improvements. To a first approximation, carefully constructed PRs are a great equalizer.

Jonah Benton
  • 3,359
  • 12
  • 20
  • Very much appreciate your answer Jonah. So it's not as bleak as it would seem. But with the OpenSSL debacle, I'm not sure I believe the issue is there are not enough skilled people to handle that. I have a suspicion that the issue is, our industry/corporations loves to use software that doesn't cost them anything. And conversely, and absolutely understandable, skilled people don't like to work for free so that private companies can benefit without contributing. But that's getting a bit offtopic. Thanks again for your input . – danutz_plusplus Mar 31 '18 at 01:14