4

Recently the organisation that I work for has approved a new role to be focused on ensuring technical solutions are following secure development practices at the code development level. While the candidate will be aware of network security, it will not be their primary focus where-as the solution design, testing framework, functional code and CICD will be.

The title of the role may be something like: Principle Security Developer.

For a role like this, what are some of the things a candidate should be expected to know and form part of a job description?

I'm aware of OWASP and the top 10 security threats listed in there and it will form part of the job description.

Thanks.

Andrew Conn
  • 41
  • 4

1 Answers1

2

I'd look up the 'security engineer' or 'security architect' roles for various companies and try to distill the expectation for such a role. Of course, it needs to be tailored to your company's environment and stack etc.

To quote a few, these are some of the expectations from such a role (taken from a few job postings for the aforementioned categories):

  • Understanding of the SDLC, as well as tools such as Git, RPM or DPKG, Chef, ansible or Puppet
  • Deep technical understanding of common security vulnerabilities and risks, as well as countermeasures and compensating controls
  • Experience with UNIX and Windows application controls and tooling
  • Usage of source code analysis tools Fortify, Coverity, Clang, or others
  • Proficiency in reading, writing, and auditing >languages used in your company< and the ability to pick up new languages/technologies
  • Knowledge of ubiquitous encryption technologies (PGP, SSH, SSL, etc.) and common protocols (RADIUS, LDAP, KERBEROS, SAML, etc.)
  • Some experience with Continuous Integration and development automation frameworks
  • Knowledge of common web application and mobile frameworks
  • Strong business sense (specially applicable for small startups)
  • 5 (or more) years of demonstrated experience in product development, strategy, and market research
  • Previous professional information security experience, with penetration testing or "breaker" experience
  • Experience breaking down complex systems and applications to find flaws
  • Good interpersonal and communication skills
  • Ability to work well with designers and engineers
  • An analytical and metrics driven work style
CodeExpress
  • 2,457
  • 15
  • 10
  • great answer, I did some simple searches based on my own title but thanks for the tips on a few variant takes on similar roles. – Andrew Conn Jan 16 '17 at 23:35