Why a security specialist should grow from a programmer
Each of the areas in IT has its own so-called “jokes” and features in terms of searching and training employees, interaction with software, customers, and so on. In my field, that is, in the field of information security, the following question is still discussed: “Should a security specialist grow from a programmer?” Having 25+ years in the field of IT and information security, I responsibly declare that I should. This is not a question for me, but many will disagree with me. Today I will reveal my position and explain why it is vital for security professionals to be programmers.
A small clarification – for convenience, I call programmers everyone who writes code, manifestos, some kind of configs, and so on.
What types of security guards are there now?
There are several types of security specialists on the market that specialize in various areas of information security. I distinguish two main types:
Classic security guard is a specialist who ensures the security of information systems and networks, protection against hacker attacks and other threats. He may be involved in security auditing, incident response, security policy development, etc.
Security guy from a programmer is a specialist who has programming and development skills, but also has knowledge in the field of information security. He may be involved in secure software development, penetration testing, training developers on secure coding practices, etc.
In general, security professionals can have different profiles and specializations, depending on the specific tasks and needs of the organization.
Data center and base
Let's look at the topic using a basic example of a data center. IT is a rather complex infrastructure that begins with data centers and telecommunication channels that connect these data centers with communication channels, routers, and switches. They create the infrastructure for servers and clouds. Above all this there are people involved in development, support and work with equipment and software. These people, in fact, have one more superstructure – security guards.
The work of a security guard can begin with the banal entry of employees, workers or clients into data centers. All equipment and hardware that is placed there must also be protected. And here, perhaps, it is worth looking at information security in two directions: development and infrastructure.
In the infrastructure area, the security specialist must protect communication channels, the entire data center infrastructure and everything connected to it, analyze systems for vulnerabilities and the possibility of attacks, for example, DDoS attacks. There are good monitoring systems in this area that allow you to track all this and notify specialists about certain security problems. They take into account the operation of switches, servers, routers, and even air conditioning and uninterruptible power supply systems – if they are damaged, the operation of the entire data center can be stopped.
Accordingly, everything related to infrastructure is actively monitored. You can write a large amount of wiring in a monitoring system that will collect temperature from certain sensors, voltage and frequency from uninterruptible power supplies and display all this in beautiful graphs. Certain triggers in these metrics will trigger corresponding alerts. This all works in real modern data centers. The same applies to communication channels, DDoS attacks, and so on. This is all already well organized and applied.
Orchestration, SRE and DevOps
We also have an infrastructure layer that relates to virtualization (VMware, Hyper‑V, KVM, Proxmx, etc.) or orchestration (Kubernetes, Docker Swarm, OpenShift, Hashicorp Nomad). All hypervisors should be segmented and isolated and should have defined access policies for the hypervisors and other infrastructure components. Here, too, everything is quite simple and no problems arise. But orchestration directly concerns the work of SRE and DevOps. That is, more significant issues related to information security may arise here. Security specialists associated with orchestration and virtualization are directly responsible for processes related to the organization’s business logic. A large number of infrastructure containers and application containers with business logic are launched here, which themselves can carry a large number of vulnerabilities. For a person who has never lived this way, it is more impossible than possible to understand everything.
In this case, the security specialist should be a classic admin in the first place. It is desirable that he be from DevOps, ideally also SRE. These people really understand how infrastructure, clusters and orchestration work, what processes take place there and how to manage it. And they know the main entry points to attack. A specialist must understand what he is working with and what he must interact with.
If we talk about classic vulnerability scanners on this layer, then these are scanners that relate to Kubernetes: KubeBench, KubeHunter, Trivy‑operator, Falco, Aqua, as well as domestic products such as Positive Technologies Container Security, Kaspersky Container Security. These security systems don't just need to be learned, they need to be installed, maintained, updated and worked with. And this work is also partly SRE, because you need to interact with the components of Kubernetes clusters. A classic security specialist who has never encountered this will most likely not be able to do this work, because he will not have the appropriate competence in this area.
Assembly and delivery
Let's move on to assembly and delivery. This is also what SREs do, and in our case, all the flows in the CI/CD pipeline. The code repository management system itself can also be susceptible to attacks, so you need to understand how the entire build and delivery pipeline works, what weaknesses and vulnerabilities there are in these systems. If you have never encountered this and do not know how to design and write a flow for the assembly and delivery processes, then you most likely will not be able to understand how to test it for vulnerabilities. There are currently no special scanners that would allow this to be done. You need to look at the business logic of the processes, that is, analyze all the jobs step by step and understand what they do. This is already a question at the intersection of programming and infrastructure.
Another point to pay attention to is containerization and container security. A specialist must clearly and clearly understand what containers are, what layers they consist of, what is on each layer and what may be vulnerable in them, with what rights they are launched, under what users, and most importantly, how to fix the problem. Without skills in working with containers, it will not be possible to eliminate and analyze vulnerabilities in them. Often they contain the operating system, the base layer, and in some layers both artifacts related to the operating system and artifacts related to business logic—the code itself—can be stored. The nuances of working with the source code that runs in the container are very important, and a security professional who does not know the code will not be able to properly triage vulnerabilities.
Development and testing
Let's look at the top-level story – development and testing. I believe that programming is the basis for understanding and analyzing all vulnerabilities in any information system. A simple example from the infrastructure section. Modern routers and switches contain a certain amount of code that is written by network infrastructure engineers. You need to understand and be able to read this code. In the field of virtualization, there are a large number of configuration files that are configured to support a certain infrastructure in terms of the network and the virtual machines running on it. At the SRE level there is a huge number of YAML manifests that are used in the environment, in orchestration, for example in Kubernetes. You also need to be able to write and work with them. If we take Docker files and Docker containers, then there are a large number of Dockerfile configuration files from which the containers are assembled. And only those who write the code themselves will understand how configuration data works and how these algorithms and data structures are implemented.
Knowing the code helps you better understand software vulnerabilities and look for ways to fix them. Programmers see moments associated with entry points and processes for processing and analyzing certain states. Let's get back to routers. There is some kind of config for this router, and it contains open ports. The engineer or network engineer sees what is open and where attacks can be made. It's the same in SRE. There are services that provide access to a specific microservice and which can be attacked.
Another major advantage of a security programmer is the ability to take an integrated approach to the task of ensuring security. The security guard must cover a specific area of responsibility. How we do it: AppSec specialists analyze the code and business logic that programmers write. DevSecOps deals with container security and Kubernetes security, that is, they analyze this area in detail. There are Application Security mobile security specialists who search for vulnerabilities in mobile applications.
Programmers are accustomed to analyzing code at the micro level and carefully checking every line of code for errors and vulnerabilities. This is all highlighted by scanners. But you need to understand that scanners do not allow you to identify processes associated with business logic. If there is a chain of attacks that will lead to some bad states for this information system, the scanner may not see it. But a security programmer will be able to identify changes and suspicious moments that other specialists will not see.
Security programmer training
The next point that needs to be mentioned is the continuous training and development of a security specialist. Information security is changing rapidly, especially recently: new standards and policies are being released, new vulnerability databases are appearing that need to be updated, constantly supported, and improved. In addition, it is necessary to improve your skills and knowledge in the field of information security. This is facilitated by various courses, seminars, conferences, both online and offline. And we also monitor this and try to always be in the trend of these processes.
Thanks to their extensive experience and ability to quickly learn new things, programmers can more easily adapt to these changes and keep abreast of the latest events and trends in the field of information security. It’s good, by the way, if programmers generally work with security specialists. An information security specialist sees the scan results, checks the code and comes to the developer with these vulnerabilities. Based on this data, the developer begins to learn information security. That is, next time he will not make such mistakes, and his level and competence will constantly grow.
Information security courses like “Get into IT in 20 minutes” are also not a panacea in this matter. As a rule, they should be taken by a specialist who already understands code and who has decided to retrain for other tasks or simply improve the quality of the code he writes. Often, certain things when writing code may not be obvious, and such courses will just help protect the results of your work for yourself and all colleagues associated with the project. Taking a person from scratch and training him to work with a scanner is not enough to become a good information security specialist.
Summarize
A security professional who has grown up from a programmer will have a number of undeniable advantages that make him more effective and competent in the field of information security. A programmer with deep knowledge and skills and an integrated approach, attention to detail and a desire to constantly learn will be indispensable in creating reliable and secure information systems. It’s even better if the security specialist has experience in system administration, SRE and DevOps.
Without knowledge of the code and the nuances of its writing, an information security specialist, at best, can only competently interpret the results of scanners. Juniors in the field of information security can be trained to triage defects from scanners, analyze some already solved cases, send them to courses and comprehensively train them to achieve the required level of competence.
I'm ready to discuss the topic with you. 🙂
