4 Things to Expect When You’re the Only Security Engineer on a Developers Team
Every start-up reaches the point where having developers take care of security is not enough. A security engineer needs to be hired to do the trickier stuff, such as monitor networks and systems for vulnerabilities, or create a set of security standards and practices. Does that sound like the job you’ve just signed up for? Lucky you! But here are some things you need to be aware of before your first day if you’re going to survive.
1. You’ll be told that your code is not clean enough.
As a security engineer, you’ll sometimes have to code—to automate security checks, for example. You’ll also need to know how to code in order to be able to understand developers’ code. But you’re not a developer, which means that your expertise is more about platforms than coding. So, yes, you’re not an expert in programming languages—but you have so many other technical skills!
2. You’ll be teased about preventing sprints from ending.
Your rhythm is different from that of developers, who usually work with sprints. Your issues can take one quarter or more to be fixed and your goals are definitely more long-term than theirs. This means that, at some point, you’ll probably prevent a sprint from ending because you need to deprecate the version of a library to a more secure one. But stick to your guns—it will be for a good reason, no matter what the developers are saying!
3. You’ll be assured that vulnerability bugs can be fixed later.
In order to finish a sprint, developers tend to release a feature even when there’s a pending risk, especially if it can’t be seen by the client. They promise they will come back to it later… So make sure your keep track of those bugs.
4. You’ll need to share your knowledge with developers
Developers will be able to find vulnerabilities on their code if you are willing to share your knowledge about security with them. And doing so will allow you to spend more time on more complex and transversal topics. Of course, you’ll need to give them proper training so that they don’t end up creating new security bugs while fixing one. And not only will this help you to get to know them better, developers will also teach you a lot, too!
When you are the only security engineer on a team of developers, it’s important to remember that your skills are complementary to those of your colleagues and that some of them worked on security issues before your arrival. Explaining your work to developers who are not completely aware of what you are doing, as well as training the ones who want to learn, will make it possible for you to become fully part of the developers’ team—and not just be seen as the one who blocks sprints.
This article is part of Behind the Code, the media for developers, by developers. Discover more articles and videos by visiting Behind the Code!
Want to contribute? Get published!
Follow us on Twitter to stay tuned!
Illustrations by WTTJ
- Add to favorites
- Share on Twitter
- Share on Facebook
- Share on LinkedIn