Information Security Engineer — who is they? What should they knows?
Information security is a cross-disciplinary science and cannot exist by itself. Therefore, an information security engineer is a T-shape specialist who understands different aspects of computer science, information technology, mathematics and much more. That’s what makes this profession exciting, challenging and multifaceted.
Information security is a fairly applied field that has been growing lately. The high-profile hacks, data breaches, and government regulations, for example, GDPR, are forcing companies to pay more and more attention to security.
And security is becoming not just a triad of confidentiality, integrity and availability but a business property without which it can neither exist nor receive investment.
Many people imagine the Information Security Engineer as a hacker from the movies who, using secret techniques and technology, can hack into the Pentagon or steal all the bitcoins from some stock exchange. There is even some truth in this; for example, the creators of the series Mr Robot specifically used existing techniques and vulnerabilities to bring what is happening on the screen closer to reality. In fact, it’s not all that romantic, and the work of an engineer is different.
What does a security engineer do, anyway?
You can divide security into the Offensive and Defensive parts.
The offensive is more common in consulting companies and aims at finding customer company vulnerabilities and discussing ways to fix them. The engineer looks for ways to hack the company’s services and describes the problems he found in the audit report.
The Defensive is at product companies and aims to achieve security for services and the company. Of course, consulting companies also have their own internal security to protect client data.
Security is an iterative process. For example, here’s a list of the tasks and processes an engineer faces:
- Builds a secure CI/CD process and security in the product lifecycle phases.
- Advises SRE teams, Developers, and Product Managers on security issues.
- Participates in security design reviews of new services, code audits, and develops security tools.
- Implements technical security measures to pass certifications.
- Assists the SOC team with tech solutions in the difficult task of catching an intruder.
- Participates in security incident investigations.
- Delivers proposed solutions in the form of a risk-based approach.
If you wanted to become such an engineer, where should you start?
Become a hacker, of course. How — How To Become A Hacker. Being a hacker is not about stealing money from banks. It means solving complicated technical problems no one has ever solved before you, being inquisitive, and out-of-the-box thinking.
English Language. One of the most essential skills you need. Unfortunately, without a language, you’re limiting yourself too much.
Programming. The second essential skill you absolutely need. There is a stereotype that security people are failed programmers. We can discuss it for a long time, but the truth is that the security engineer must be able to program to understand better what mistakes can be made in developing systems. It is hard to imagine how one can find vulnerabilities in code and “hack” an application without ever having written his own. Beyond that, programming will automate your routine tasks and create tools that allow you and the business to get safer products. My choices are Golang and Python.
General IT background. The third essential skill is a broad outlook on IT. Study how systems work and why they’re designed that way. Try to develop your own service. For example, figure out how the delivery of secrets or the OAuth protocol works. The System Design materials will help you do that. This skill will also help you get into threat modelling in the future, as you can only model threats with an understanding of how your system works.
Bugbounty is an open-source vulnerability scanning program that helps companies discover vulnerabilities, and security researchers get paid for it. Fairtrade, will allow you to try on real-world systems to search for vulnerabilities. Take advantage of this opportunity, participate in unpaid programs, and read write-ups from other popular contributors. For example, subscribe to public report digests from HackerOne or Bugcrowd.
CTF (Capture the Flag) and Communities. CTF is a competition among security engineers. It’s an excellent way to pump up your hard skills and learn new things. Participate in the contests, and read the breakdowns. Join existing groups or create your own. There are a lot of communities, for example, at universities, which are interested in developing such teams. Join such a community, share knowledge, and discuss new techniques and vulnerabilities. This will help you develop skills of teamwork and solving complex problems in a short time.
Courses and books. Books and courses can be an excellent start for you. I like “The Tangled Web: A Guide to Securing Modern Web Applications”, “Building Secure and Reliable Systems”, and “The Web Application Hacker’s Handbook”. If you decide to master the security of your Web applications, this is a must-have for you — Portswigger Labs.
Certifications. Do not go through certifications for the sake of certificates. It’s a useless exercise; look at certifications as an opportunity to master and increase your practical skills in an area that interests you. Many incredible safety engineers don’t have certificates, but that doesn’t mean certifications are useless. Here are some that I personally recommend — Offensive Security. Don’t get hung up only on security certifications; maybe certifications in networking or database would be helpful for you.
Communications. An engineer’s job primarily consists not only of finding vulnerabilities and flaws in the system but also of telling various people with different backgrounds — developers and managers — about them in understandable language. Often, security is a tradeoff, so the ability to negotiate is an important skill for any engineer. And this is where developing critical thinking, emotional intelligence, and strategic thinking can help. These are all skills that require constant practice.
For me, choosing to be a security engineer means constantly learning new things, moving forward, and being able to deal with interesting, different, and challenging tasks while interacting with a lot of smart and motivated people.
References:
