Guide to Careers in Software Security and Cybersecurity Software Development
Information technology (IT) systems are comprised primarily of hardware and software. The hardware represents physical system components, such as central processing units, disc drives, and monitors. Software is the coding containing information and instructions that direct hardware operations, provides users with an interface, and coordinates communication between networked computers and devices. Protecting and defending the security and integrity of hardware is one foundational pillar of cybersecurity; developing, testing, and debugging applications, programs, and other software systems represents another major branch within cybersecurity.
Software encompasses a broad spectrum of products that are integral the function of everything from personal computers and mobile devices to large mainframe computers and enterprise IT systems. The computer programs and applications that comprise software are thus a prime target for cyberattack. Indeed, locating and exploiting weaknesses in system software, network software, and/or application software is one of the more common strategies for cyber incursions, and it is through the use of malicious software (a/k/a malware) that an entire classification of cyberattacks is carried out. As a result, software security is a major area of investment, concern, and vigilance in cybersecurity. It is an area of specialization that encompasses efforts to identify and eliminate vulnerabilities in existing business and consumer software products, as well as the process of developing new applications that have built-in security measures.
Employment Opportunities in Software Security
Developing new computer applications and utilities, improving existing software systems, and identifying security weaknesses and potential vulnerabilities in computer coding and software packages is more than just a cybersecurity concern. These activities are one of the central features of the technology sector. In fact, growing awareness of the dangers posed by cyber incursions and cyberattacks has effectively blurred any preexisting line between software design and software security, as vulnerability testing, cryptography, and other security measures have been integrated into the software development process.
In practical terms, this means that companies that create and manage software products, including web and desktop applications, database systems, and enterprise/business intelligence assets, are likely to employ programmers with training in software security methodologies, as well as application and utility testing specialists who are responsible for identifying and eliminating vulnerabilities in software. In addition, computer programmers with software development expertise are employed to design cybersecurity tools and applications, which are software packages that have an explicit cybersecurity function, such as locating malicious code or sensing and identifying network intruders.
While tech companies engaged in software development represent one of the more common employment opportunities for professionals trained in software security, there are also a growing number of cybersecurity firms and consultancy groups that specialize in performing software vulnerability scans, penetration tests, and other types of analyses for clients with information security concerns. These consultants commonly employ software security specialists who fix existing problems for clients and tailor software products to a client’s specifications.
Coders with software security expertise can thus find employment both with application and utility development enterprises and as outside consultants with cybersecurity companies that provide software security services.
Among the job titles that are common in the field of software security are the following:
- Cybersecurity Software Developer
- Secure Software Analyst
- Web Application Security Engineer
Knowledge, Skills, and Abilities for Software Security
There are also open source and proprietary development tools (Atom, GitHub, and Azure, for example) that programmers rely on, as well as application security testing tools, such as Zed Attack Proxy (ZAP), the Python-based Wfuzz and W3af, and Wapiti that are commonly employed by software security specialists. Knowledge of and familiarity with these programming and development tools, as well as with common operating systems, network protocols, web services, and internet protocols, are all part of a competent programmer’s skillset.
Software security concepts and methodologies are another key technical area within cybersecurity. Knowledge of access controls, digital signature capabilities, command line validation, firewalls, cryptographic key management, and other security measures that can be built into new software and/or injected into existing software falls into this category, as do vulnerability scanning and penetration testing. Finally, working in cybersecurity requires a general understanding of the types of cyber threats that computer networks and systems face, common vectors of attack, and tested strategies for detecting, repelling, and defeating unwanted incursions.
The National Initiative for Cybersecurity Education (NICE), a private/public sector partnership administered under the auspices of the National Institute of Standards and Technology (NIST), maintains a Workforce Framework for Cybersecurity (NICE Framework). This framework lists dozens of Knowledge, Skills, and Abilities (KSAs) that are considered to be highly valued in the field of software development and security. The sections below draw on NICE Framework KSAs and on actual job listings for software security professionals in order to provide a representative overview of key areas of expertise that are useful in the field.
General Technical Knowledge
- Computer networking concepts and protocols, and network security methodologies
- Common operating systems
- Critical hardware, software, and IT infrastructure systems, including communication technology
- Database systems and Structured Query Language (SQL)
- Discrete mathematics
- Local area and wide area networking principles and concepts including bandwidth management
- Network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services
- Statistical modeling
Software Security Knowledge and Skills
- Application firewall concepts and functions
- Application security risks, such as those highlighted in the Open Web Application Security Project Top 10 list
- Common cyber threats and vulnerabilities
- Computer assembly languages and their use
- Computer programming language structures and logic
- Interpreted and compiled computer languages
- Object-oriented programming languages, such as Java and C++
- Public-Key Infrastructure (PKI) encryption
- Secure configuration management techniques
- Secure software deployment methodologies, tools, and practices
- Software debugging principles
- Software design tools, methods, and techniques
- Software development models
- Software quality assurance processes
- Software related IT security principles and methods, such as modularization, layering, abstraction, data hiding, and simplicity/minimization
- System and application security threats and vulnerabilities, such as buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language (PL/SQL) and injections, race conditions, covert channel, replay, return-oriented attacks, and malicious code
- System design tools, methods, and techniques, including automated systems analysis and design tools
- Web services, including service-oriented architecture, Simple Object Access Protocol (SOAP), and web service description language
- Vulnerability scanning and penetrations testing tools
- Ability to communicate technical information to non-technical clients and stakeholders
- Ability to think like a hacker/malicious actor in order to anticipate software vulnerabilities
- Risk assessment skills
- Technical writing proficiencies
Training and Credentials in Software Security
There are essentially two broad technical areas in which software security programmers, analysts, and developers must cultivate proficiencies: computer programming/software development; and cybersecurity. There is, however, an increasing amount of overlap in these areas of technical knowledge, as programmers and application developers accept the reality that functional software must be protected against malware, viruses, and other cybersecurity risks. Students who are preparing for a career in web/mobile application development and/or software design can begin by learning how to code as they transition from secondary to post-secondary schooling, taking computer programming courses in high school and/or enrolling in extracurricular coding bootcamps that serve this purpose. Similarly, adult learners who are interested in starting a career in software security can cultivate coding skills in bootcamps and training programs offered by universities, as well as by professional organizations and private vendors.
It is, however, advantageous to have formal academic training in software design, computer programming, and cybersecurity, which is available through the types of bachelor’s and graduate degree and certificate programs discussed in the section below. It may also be helpful to invest in one or more of the professional certification programs that are available to professionals in the field.
Bachelor’s, Master’s, and Graduate Certificate Programs in Software Security
The academic landscape for those interested in software security provides a number of potential pathways. There are Bachelor of Science (BS) programs in computer science, engineering, and software development that give students the opportunity to cultivate a solid foundation of technical skills in areas relevant to software design. Many of these programs incorporate required or elective coursework in cybersecurity. There are also an increasingly large number of schools that offer undergraduate degree programs in cybersecurity. These programs combine training in computer science and programming with coursework that delves into the theories and practices of cybersecurity.
At the graduate degree level, students can gain advanced technical skills in master’s programs devoted to computer science, computer engineering, software development, software engineering, and other similar subject areas. Many schools have either a cybersecurity specialization that master’s students can complete as part of a degree in computer science, software development, and/or engineering, or a master’s program in cybersecurity that focuses specifically on topics that are central to building and maintaining secure cyber systems, which includes software applications.
There are also schools that offer graduate certificate programs in software development, software design, software engineering, and other cybersecurity specializations that can help students who already hold a bachelor’s or master’s degree cultivate software security skills without having to complete an entire master’s degree program.
Professional Credentials and Certifications in Software Security
Outside of academia, there are private professional organizations, vendors, and training companies that provide training in various coding and cybersecurity skills and administer certification programs, conferring credentials that some employers may require or prefer. Software security is a specialization that draws on a number of different KSAs, including proficiencies associated with ethical hacking/penetration testing, web development, cloud security, and data management. There are various types of certifications available in these knowledge areas, as well as certifications that are more narrowly focused on secure software design and development.
For example, the non-profit training and credentialing organization ISC² (International Information System Security Certification Consortium), offers the Certified Secure Software Lifecycle Professional (CSSLP) certification; the non-profit Institute of Electrical and Electronic Engineers (IEEE) offers the Certified Software Development Professional (CSDP) credential; and the for-profit SANS Institute has Global Information Assurance Certification (GIAC) programs that confer the GIAC Python Coder (GYPC) credential and the GIAC Certified Windows Security Administrator (GCWN) credential. These professional certifications, and several others that can be useful in the field of software security, are listed below.
- Certified Application Security Engineer (CASE), offered by the International Council of Electronic Commerce Consultants (EC-Council)
- Certified Secure Software Lifecycle Professional (CSSLP) and Certified Cloud Security Professional (CCSP), offered by ISC²
- Certified Software Development Professional (CSDP), offered by the IEEE
- GIAC Python Coder (GPYC) and GIAC Certified Windows Security Administrator (GCWN), offered by the Sans Institute
Examples of Jobs in Software Security
The section below provides examples of common employment opportunities in the field of software security. Each example offers an overview of job responsibilities and requirements, including training, education, and technical skills. These examples are composites of actual job listings for software security professionals.
Security Software Engineer
- Primary Responsibilities: Evaluate, integrate, and maintain security features within IT system software; perform scans to discover software vulnerabilities, report those vulnerabilities, and work to remediate those vulnerabilities; and evaluate and test new secure software applications as part of a software development team.
- Education: Bachelor of Science (BS) in computer science, engineering, cybersecurity, information systems, or a related field.
- Experience: None specified for applicants who hold a bachelor’s degree in computer science, engineering, cybersecurity, information systems, or a related field.
- Credentials: None required, but relevant professional certifications taken into consideration as part of the hiring process.
- Technical Proficiencies: In-depth knowledge of coding in at least one primary programming language, such Java, Python, or Golang; familiarity with secure software tools, including static application security testing (SAST), security control assessment (SCA), and dynamic application security testing (DAST) tools; and experience with the software development lifecycle, security practices, and the tooling used in developing and deploying secure code.
- Other Attributes: Ability to communicate clearly, both orally, and in written form; and the ability to work with a team of software developers.
- Primary Responsibilities: Design, document, develop, and implement web applications, including user interface screens and data interfaces, using Microsoft Visual Studio, C#/ASP.NET, Git, T-SQL, and Data Access Layer (DAL) code; develop SQL databases and queries; and implement secure coding methodologies in software development processes.
- Education: Bachelor of Science (BS) in computer science preferred.
- Experience: Three or more years in software development; one year with Visual Studio.
- Credentials: None specified.
- Other Attributes: Ability to multitask and prioritize work effectively and efficiently; and written and verbal communications skills.
Software Security Analyst
- Primary Responsibilities: Prepare and conduct vulnerability scans of client systems and networks; analyze the results of vulnerability scans, phishing tests, security alerts, and other system metrics to identify software vulnerabilities; and work with a team to provide clients with compliance ready secure software systems.
- Education: Bachelor’s degree in computer science/IT management preferred.
- Experience: Two or more years in an IT support/management role.
- Credentials: None specified.
- Technical Proficiencies: Object-oriented programming skills; familiarity with various components of enterprise IT systems; knowledge related to cybersecurity risks and modes of cyberattack, including malware, phishing, and ransomware; ability to work with vulnerability scanning tools to assure the security of software applications; and familiarity with compliance standards and privacy requirements in the healthcare industry.
- Other Attributes: Strong professional communication skills (written and verbal); comfortable working with technical information; and a calm and focused problem-solving approach.
Web Application Cybersecurity Engineer
- Primary Responsibilities: Review, test, optimize, and support cybersecurity applications; perform web application testing; implement preventative measures against malicious actors; engage in web application penetration testing exercises; and report on results of penetration testing and application testing measures.
- Education: Bachelor’s or master’s degree in computer science/computer engineering or a related field.
- Experience: Two or more years in coding, application development, and software debugging.
- Credentials: Linux Foundation Certified Engineer (LFCE), Microsoft Certified Azure for SAP Workloads Specialty, and/or Amazon Web Services (AWS) Certified Solutions Architect considered a plus.
- Technical Proficiencies: Expertise with Linux operating systems and cloud computing, static code analysis (SCA), IOS application security, coding in Python, packet analysis using Wireshark, and cloud hosting services (Microsoft Azure and AWS).
- Additional Attributes: Strong technical communications and problem-solving skills; skill in troubleshooting and incident hunting; and familiarity with the Open Web Application Security Project (OSWAP) and its resources.