As a developer, DevOps engineer, Infrastructure & Operations lead, or similar, you are on the frontlines of application security. You are also on the frontlines of performance, functionality, stability, user experience…the list goes on. Often it seems like security is just one more requirement, one more box to check, one more obstacle between you, your deadline, and what you really care about. But I see it differently. Security probably is not the reason you love coding, but I bet the reason you love coding is made all the richer by embracing security. Or at least it can be. Hear me out.
I have been fortunate enough to work in development and to work with developers for decades. Through that experience, I have come to recognize different developer archetypes and their motivations. There are the creators who thrive on creating something that never existed before the day they wrote it into existence. The often falsely labeled “lazy developers” who are efficiency experts and automate everything. The competitors who know they are the best and need to prove it. The skeptics who inherently doubt others’ code – often with the confidence they can build it better themselves. The oracles who feel they can learn exactly how the system works by reading source code and strive to keep up with the intricacies of complex modern systems. And finally, there are the captains, the developers often motivated by a purpose higher than their code who are core to building a culture around team successes.
In recent years, I have seen how these personalities can not only succeed in a “shift-left” world, but how secure coding practices can actually kindle rather than snuff out their passions – be they to deliver cutting edge projects, streamline processes, or advance their careers.
So, amid your many competing demands and the pressure to focus on faster delivery over security, why should you care about writing secure code? Well, I will argue that embracing security not only makes you a better (and higher-compensated) developer, but it also lets you do more of what you love about coding in the first place. Here are eight ways I have seen developers embrace security to work on better projects, find meaning in their work, and ultimately advance their careers.
Secure coding helps you work on the most interesting projects.
One thing most – if not all – developers have in common is the desire to work on interesting projects and solve interesting problems. There is a level of pride and intrinsic enjoyment being entrusted to tackle difficult challenges and devise creative solutions. Often the most interesting projects impact large populations, represent critical value to an organization and its customers, or are at the leading edge of what is possible in digital experiences. This criticality goes hand in hand with the need for security.
For example, let us say your organization is working on a brand-new digital banking service, or a predictive healthcare platform bringing patients and practitioners together to lower costs and improve outcomes. Both projects represent high-value opportunities but come with an inherently high security threshold. When you can demonstrate the ability not only to write functional and high-quality code but also secure code, you are more likely to be tapped to work on these kinds of projects.
Secure coding demonstrates deep knowledge of complex systems.
Application code is invariably complex – and constantly getting more so. Whether you manage legacy applications written by developers who have left the organization, work on cloud-native applications developed across multiple teams contributing various microservices and APIs, or both, there is gratification understanding these complex assets and what makes them work. This gratification can manifest in creating and managing the interrelationships and integrations with disparate systems and services. And it can manifest in understanding security risk across the application and integrating and automating security in your software development lifecycle.
Whether a monolith application with tech debt or a cloud-native application built on microservices, these complex systems represent significant value for the organization. Extracting that value is predicated on secure code – both to mitigate the risk of an attack and to realize the promise of rapid development, scale, and agility. Understanding of security across the SDLC not only shows your understanding of the system but positions you as a key contributor driving value through speed to market, risk management, and more.
Secure coding champions who tackle urgent issues are seen as essential heroes.
Maybe you are the type of developer who loves to tackle urgent, critical issues. You love the rush associated with responding when an emergency arises and being a heroic figure that puts out the metaphorical, “system fire.” (For anyone who has read the Phoenix Project, Brent Geller, Lead Engineer for Parts Unlimited, is a vivid illustration of this.) Today, companies need developers on the roster with the knowledge to fix severe flaws and quickly respond to zero-day vulnerabilities. Being a go-to source for urgent issues not only feeds your adrenaline needs, but it also comes with an element of job security – especially when working with complex and business critical systems.
Secure coding means you can take pride in your work and the success of your software.
Most of us want our work to have purpose and to receive recognition and positive feedback for our contributions. We want the applications we build to help users, customers, and ourselves succeed. And we do not want that success to come with the risk of data breaches and other devastating security exploits. While security can often be seen as a thankless task – you only really notice it when something bad happens – securing software is not just about protecting users and brands. It is also about taking pride in your work and securing that work against the negative effects of an exploited vulnerability. Part of writing the best software is writing secure software.
Secure coding helps you build relationships with other developers.
As developers, we are not just accountable to customers and users but also to the other developers and team members working alongside us. No one wants to be the proverbial “weak link” letting teammates down, making others’ jobs more difficult, or keeping the team from meeting goals.
Writing functional code riddled with flaws leads to frustrating rework and delays that affect the whole team. Conversely, writing functional and secure code on deadline means teammates can rely on you to pull your weight. And being a secure coding champion means you are a resource to help remediate or mitigate difficult issues and elevate the team to become more efficient and better coders. This quickly builds your reputation as a developer with whom others want to work.
Secure coding makes you stand out with leadership.
Developers and leadership may often seem to have diverging motivations. It is common as developers to strive for perfection and to want the time to achieve that. However, leaders often make decisions to get product (often minimally viable) out to market to capture windows of opportunity. Developers who not only understand the business needs and strategy but enable execution of that strategy stand out to leadership.
Time to market is key to most business strategies. And with regulatory pressure and mounting financial risk around cybersecurity, meeting application security policy can be a key limiting factor in time to market. If, however, you deliver secure code in a timely manner, that creates flexibility and opportunity for business leaders to execute strategy and make more advantageous financial decisions with less risk to the business. This makes everyone in the organization happier!
Secure coding elevates your contribution to the organization.
In aggregate – working on the most interesting and important projects, acting as a critical resource to secure complex systems and tackle urgent issues, helping your teams succeed, and enabling leadership to execute on their strategy – being a secure coding champion and leader means your efforts lead directly to positive change and impact for your team and organization. This is only getting truer as security becomes increasingly important in buyer decisions, time to market, regulatory compliance, and more.
Of course, that contribution can and should lead to greater compensation and career advancement…
Secure coding advances your career.
Whether you are looking to increase job security, advance within your organization, or earn the opportunity to work on high profile projects and earn a higher salary, embracing application security and becoming a secure coding champion is a great way to distinguish yourself and advance your career. For all the reasons listed above, there is a growing need for professional developers and DevOps engineers with knowledge in secure coding best practices. There is also a considerable talent gap to fill this need which gives developers who can deliver secure code quickly and efficiently with knowledge of application security tools a considerable advantage.
So how do you become a secure coding champion?
Hopefully, these motivations and passions resonate with you as a developer, and you can see how embracing application security can advance your career and enable you to do more of what you love. But how do you get started? Here are three simple steps to become a secure coding champion.
1. Build your knowledge base: Ultimately, you as the developer write code, debug issues, and remediate or mitigate security flaws. Step one is building out your knowledge base of common vulnerabilities and weaknesses, how attackers exploit them, and how you as a developer can write secure code to limit vulnerabilities and make it harder for malicious actors to manipulate your code. A great resource to get started is Veracode Security Labs which includes coding samples and demo applications so you can learn about flaws, see exploits in action, and manipulate code to create fixes.
2. Become proficient using Application Security Tools: Scanning and analysis are essential to application security. These tools evaluate the code you write and assemble to identify security issues. Sometimes others in the organization mandate tools, but as a developer you have an increasing say in the evaluation and selection of the tools your organization selects. When evaluating tools, ask these key questions:
- Will this tool be around for a while and am I likely to use it throughout my career? If you are going to put in the effort to learn a tool, ideally that effort will pay dividends throughout your career. Like investing in learning a coding language, you want to pick a tool with the maturity and staying power to be relevant now and in the future.
- Does this tool cover the languages and frameworks I use, deliver a comprehensive platform with end-to-end scanning capabilities, and integrate with my toolkit? Complexity is the enemy of security, and I do not know of any developer who wants 5+ new tools to do one function. A powerful application security platform simplifies security by providing a single tool to secure your applications from first-party code throughout your software supply chain. Not only does this give you one source for all findings, but with a tool like Veracode, you can embed security in your existing workflow – from your IDE to CI/CD pipeline and into production.
- And finally, does this tool enable me to be successful by clearly identifying the issues I need to address and providing the resources to not just find but actually fix flaws? Unfortunately, many application security tools treat scanning as the beginning and end of application security. In reality, it is just the start line. The goal is functional and secure code delivered on deadline. It is important your application security tool finds flaws quickly and accurately, but it is critical that it provides the resources to fix those flaws – in the form of contextual guidance, coding samples, one-on-one consultations, or ideally all three!
3. Prove yourself! Build your portfolio, network, and references: If you put in the work to learn secure coding best practices and embed application security into your workflow, the results will come. You will be selected to work on interesting projects and build a portfolio of successful and secure applications you can be proud of. Your teammates and colleagues will recognize you for your contributions to projects and the success of the organization. And the opportunities and advancements will follow. Congratulations! You are a secure coding champion.
Strengthening application security in an enterprise truly takes a village, but ultimately the results revolve around you - the developers and DevOps practitioners who write and secure code. As demand for security champions continue to outpace supply, this presents a tremendous opportunity to advance your career and do more of what motivated you to become a developer in the first place. Whether that is to work on interesting projects, be part of an amazing team, stand out in your industry, or earn a higher salary.
Whatever your passions and motivations, the best place to start is by investing in your own knowledge and learning about secure coding. You can start today by taking FREE courses in Veracode Security Labs to learn about common vulnerabilities – including the OWASP Top 10 – and how you can write secure code.