What it takes to be a security software developer

Demand is on the rise for virtually all types of cyber security skills, including the ability to develop security software. The seemingly insatiable need for effective new security applications is keeping these professionals busy.

“I think some of the demand will be offset by AI [artificial intelligence] developments within security,” says Zach Burns, executive recruiter at Stratus Search, a technology recruiting firm focused on the placement of technical professionals in positions such as security software developers, security architects, security engineers, and others. “But for the immediate future things are looking good for anyone with a security skills set,” including software development, Burns says.

Cloud storage will continue to grow, and as more devices are connected to the Internet users will need protection for everything from smart watches to the smart home, Burns says. “Since Google and Amazon are focused on connecting our whole home via smart devices, it will be important to keep everything secure,” Burns says. “The fact is there are more Internet users and more things connected to the Internet every day,” and that will push the demand for security software.

Larger enterprise in general are building their own development teams, but a lot of companies are choosing to contract out, Burns says. “Financial institutions seem to be more invested in hiring full time versus contracting,” he says. “That makes sense because banks have a lot to lose if they’re hacked. They lose customer confidence and the consequences of a hack can cost millions or even more in some cases.”

[Related: –>The rising security risk of the citizen developer]

“I’ve noticed lately a lot of companies say they are looking for candidates with a master’s degree,” Burns says. “However, that tends not to matter as much as the person’s experience and skills.” 

The most frequently requested certification is Certified Information Systems Security Professional (CISSP), Burns says. “Most often I see requirements that the candidates be able to obtain security clearance, usually due to the fact the client does government contract work,” he says. “Architects and higher-level positions may require further certification than a security developer. A lot of security professionals end up in the field inadvertently so a lot of experience is gained on the job rather than through formal programs.”

Steve Syfuhs, security software developer and principal member of technical staff at IT management technology provider Kaseya, has always had an intense interest in security. “There was certainly an undercurrent that took me in that general direction,” Syfuhs says. “There wasn’t actually any particular direction I set out to follow,” Syfuhs says. “I started out as just a developer working on the usual sort of line-of-business applications that drive the internal workings of a company.”

His interest in technology began in high school. “I was fairly critical of how IT was managing the district’s networks,” Syfuhs says. The district was in the midst of a multi-year cutover to a different technology and left a significant portion of the administrative network accessible in the process.

“At some point I got bored in class and started snooping and came across IT’s master password list in an Excel document,” Syfuhs says. “It was password-protected itself, but at the time Excel didn’t have a great protection mechanism and it was fairly trivial to break. It was immediately obvious how dangerous this was, so I forwarded the details to the IT department.”

Shortly thereafter Syfuhs found himself in the principal’s office with the district CIO getting lectured. “There was the usual posturing of threatening to call the police or expulsion, but in reality they just wanted to scare me straight and make sure I hadn’t done anything else,” he says. “In their defense, IT was a small department on a very limited budget, had to contend with 30,000 students in more than a hundred schools spread across all of eastern Ontario, and frankly didn’t need some kid they knew nothing about screwing with their stuff.”

Although Syfuhs was trying to do the right thing, he says he probably went about it the wrong way. The meeting did end well though, with a recommendation that he try to get an internship at the district office. Some time later, he did get that internship and was tasked with various security-related projects such as writing scripts to synchronize identities from the student records system into Active Directory and penetration testing new desktop images.

After attending Humber College for about a year, Syfuhs dropped out and never graduated with any degree. “I actually didn’t take any computer science courses either, because at the time I thought I was doing a better job teaching myself,” he says. “What I did take was various business management courses. My theory was that I could teach myself computer science because I was determined and genuinely interested, whereas I would rely on the college courses to learn the necessary skills to succeed in a business setting. It turned out that I was not well suited for in-classroom learning and preferred in-field learning.”

In 2009, Syfuhs was offered a job as a developer at Woodbine Entertainment Group, a horse racing company, while he was still in college. “This is primarily the reason why I only spent about a year in school,” Syfuhs says. “I spent a lot of my time working on internal line-of-business applications, but did get a few key opportunities to work on important projects. Early on we found the corporate web site had been hacked, so I was tasked with cleaning it up and plugging any other holes that might cause problems.”

[Related: –>Build security into software development]

It was at Woodbine that Syfuhs got a taste for his particular specialty, identity and authentication. He worked on building a centralized identity system for the 15,000 employees throughout the company that weren’t necessarily part of the corporate network.

About a year and half later he left Woodbine to join up with ObjectSharp as a consultant. His primary responsibilities were to work with companies on software development projects, adding specific value in the realm of security and identity management. “I had the opportunity to work with a few well-known companies on things like developing customer identity strategies as well as deploying complex identity federation services,” Syfuhs says.

From there he went to Scorpion Software in 2012 to lead development of its single sign-on product. “Up to this point I had a fairly broad range of knowledge on security and had started taking a serious look at identity management,” Syfuhs says. “Here I honed my abilities through the guidance of Dana Epp, the company founder. I wouldn’t be where I am today without his mentorship.”

It was an interesting role because Syfuhs spent his time developing software, so needed to have a broad range of skills for basic development. “But at the time I was building secure software, so I needed to have a deep knowledge of secure coding practices,” he says. “Of course, I was building a single sign-on product, so I needed to have a very specific technical knowledge of identity management. It was the perfect storm.”

In 2014 Scorpion Software was acquired by Kaseya, and Syfuhs took on a broader technical leadership role and became the architect of the company’s AuthAnvil product. “My responsibilities broadened quite a bit as we went from being a very small shop to becoming a mid-sized company,” Syfuhs says. “I still code a lot, but now I also consult with other product teams on things like secure coding practices as well as architectural designs.”

CSO

The knowledge and skills Syfuhs has gained through the years have come “organically”, he says. “I’ve never had to go back to school, but I am constantly keeping myself up to date with new trends and technologies,” he says. “I’ve always been motivated to learn things on my own, especially the things I find interesting. I also do believe that school can be essential in learning your craft, because it provides a stable environment and resources you may not find anywhere else.”