Invariant Properties

Something that quickly stands out when you review the various security certifications is that nearly all require documented work experience. Documented primary work experience – as in your job description – and not just experience as part of a non-infosec job. (As a counterexample you might be a devop implementing a PCI-DSS-compliant system. You have to know a lot about security but your job description will be developer/architect/etc. and it will not count towards these certifications.) CompTIA is a notable exception and it catches flak for it from some people.

Does this make sense?

I think it does in the NOC. I keep coming back to an analogy to EMTs – you want someone who’s well-trained and experienced who can respond quickly and accurately on the front lines. A certificate that requires experience can greatly simplify the life of the hiring manager.

However I think that it does NOT make sense outside of the NOC. Experience is rarely a bad thing but if you’re designing and building software you don’t just need to know what the latest attacks are – you need to be able to integrate security fundamentals with development experience in order to anticipate where today’s bright idea could lead to attacks and how to avoid them. It’s not a one-legged stool where you can get by with just infosec experience or development experience. You need to have a balance.

Why would a developer want to go to the cost and effort to get a formal certification?

The job requires it

Some jobs, esp. in the defense industry, require formal certification for developer positions (IAT level II or III under DoD 8570.01-M). This is a complex situation since these jobs often require a security clearance as well and in a strong job market many developers may decide it isn’t worth the hassles.

This is not a theoretical concern to me since there’s a good match in town but it requires a TS/SCI clearance. Is it worth the hassles since there’s at least a half-dozen other positions within a few miles from home that won’t ask (and leak!) highly sensitive information in another OPM leak? Once is enough.

The job requires ongoing training

Many jobs require ongoing security training. That’s a few days to a week dedicated to learning the latest developments (e.g., drop any remaining use of SHA-1 immediately) with background training throughout the rest of the year by senior developers. You don’t have to have formal certification to perform the latter role but it makes life easier for everyone involved since it establishes a clear floor for the annual updates.

The agile methodology requires an advocate for security

The agile methodology is widely used since work is prioritized by the “product owner” on the basis of business needs. This is obviously a Good Thing since it provides the best value to the business but product owners are not security experts and might not understand the importance of security user stories. A team advocate for security can help educate the project manager and product owner. The best way to ensure the product owner will listen is to have a disinterested third party attest to his or her skills.

It’s cheaper to design it right than patch

This is true of all design methodologies – it is always cheaper to make a change early. A design with an eye towards security – esp. noticing where seemingly small changes will dramatically strengthen or weaken security – will always be cheaper to implement than a security-blind design that has to be fixed later. Once again the knowledge does not require certification but convincing non-technical people of the importance of the changes might.

It makes you a better developer and tester

Finally security training makes you a better developer and tester because it gives you a better awareness of how things can break – if we’re in a hurry we’ll often write test cases on the basis of the happy path and something that breaks every conditional branch and overlook the fact that we’re not checking everything it should. This is why test coverage is a risky metric. Security awareness means we can take a step back and ask how we would attack a piece of code if we were an attacker and that’s probably going to expose unwarranted assumptions.

The bottom line

The bottom line is that developers will care about training and experience, not pieces of paper, and the fastest way to flip the bozo bit is to come into the room demanding that people should pay attention to you just because you have of a slip of paper. The business side has different rules. They must rely on internal and external evaluations and formal certification by respected organizations is an important tool to get your message out.

If your job requires it, get a cert. If your boss’s boss cares about it, get a cert. If you need to get past the Guardians of HR with their dreaded keyword search, get a cert. Otherwise read a study guide and/or watch training videos so you keep current but only spend the money if you, yourself, would like it for your own reasons. For instance I like taking the actual exam since it forces me to study everything covered and not just the bits I find interesting or easy.