Application and software security professionals have a single focus job description: “help developers write more secure code to limit vulnerabilities.” Therefore, everything an AppSec team does should focus back on this single core statement.
AppSec teams deploy security tools into build pipelines to discover coding flaws and potential vulnerabilities so that developers can fix those issues before production. AppSec teams teach developers about security, including facets of secure coding principles for the developer’s specific tech stack. AppSec teams lead and facilitate threat modeling sessions to identify business logic issues that could hamper security if those issues are allowed to reach production. All AppSec and Software Security is focused on helping developers write more secure code to limit vulnerabilities.
Can you exist without fundamental knowledge of a single coding language as an application and software security professional? As background, consider “Why cybersecurity pros need to learn how to code.” This post argues how coding knowledge benefits various roles within cybersecurity: AppSec Lead, SOC Analyst / Threat Hunter, Auditor, Pen Tester, and CISO. Finally, the post concludes that there is a benefit for everyone in cybersecurity learning how to code, listing out the coding value proposition for each role.
Out of a desire to learn more about the application security community, a LinkedIn poll was created to ask a question of AppSec people, “how many development (coding) languages are you fluent in?” and the answers surprised me a bit.
No language fluency
At first blush, the thought of application security professionals having no knowledge of at least one object-oriented language is astounding. But the picture begins to change if we consider how people make their way into cybersecurity.
Not every person makes their way to cybersecurity through a Computer Science background. A student cannot complete a CS degree without learning a few object-oriented programming languages. What if you make your way to cybersecurity through a system administration background? You can administrate many systems and networks without coding. You may learn scripting to make your job easier, but is it true object-oriented coding?
Entering cybersecurity through a different door is not a lifelong excuse for not learning how to code. On the contrary, the value and influence of learning a coding language are priceless when working with developers.
Imagine a situation where you drop off your car for service, and the mechanic explains that she has a teacher working with her for the day who will instruct her on your repair because of its complexity. The teacher happens to be grabbing a cup of coffee in the waiting room, and you ask how many cars they have mastered this repair on? If the teacher tells you to zero, you will have severe doubts about the safety of your vehicle when you leave that service appointment. Samet thing applies for coding — you must have domain-level experience in the subject you are asking for influence within.
If you find yourself in this boat, know there are inexpensive opportunities to learn that first coding language. From online coding sites to a formal school to pairing with an existing developer, you’ll find that if you desire, you’ll have the opportunity to learn.
1-2 language fluency
The largest category of findings was those AppSec professionals fluent in one to two languages. This is encouraging because fluency in a single language prepares you to extend to multiple languages. While each language has its own nuances and details to learn and understand, having a fundamental knowledge of one object-oriented language allows you to apply that knowledge to many other languages.
Reading code and advising on design are the two primary efforts that an application security professional must undertake. In addition, knowledge of that single language prepares you to read code in other languages and ask questions of your developer friends. These questions are based on knowledge and not ignorance.
I think software architecture and cross-boundary knowledge is more important than one language, per se. What tends to happen when you cross architectural boundaries you run into multiple languages. Concepts are the same across languages, only different syntax. Solid programming concepts are more important than one language I would argue. Pattern recognition over being an expert in one language is more important.Tony Vargas
3-5+ language fluency
This 3-5+ group is just showing off. Just kidding. It is excellent that we have application security professionals who have embraced the skills their development populations utilize. People with this much subject matter expertise make a difference when working with their developers. Those developers cannot look at these folks and say, “you don’t understand what I do.”
Language fluency does not mean the ability to code without using any references or resources. Using Google and other sites to help remember the syntax of a new language is not a weakness; it’s a superpower. Developers use resources all the time to solve a specific problem. AppSec professionals can use the same resources for success.
Beyond language fluency, the best application security professionals understand the entire development lifecycle beyond language fluency. From source code control systems, issue trackers, and build pipelines, the best of the best understand all that developers have to deal with and can advise and roll up their sleeves alongside the development teams.
If you’re an application security professional that doesn’t know how to code yet, do not feel shame after reading this article — be excited to expand your mind as a lifelong learner and pick up that first coding language. Python is a great place to start, given the depth and breadth of available information, tutorials, and videos online.
Take this article as a charge to learn what your developers know so that you can achieve the core application security mission — “help developers write more secure code to limit vulnerabilities.”