Is it expected that all software engineers are knowledgable in computer and network security or are this considered a different specialty? Reason I ask is that I'm working on a healthcare startup that deals with rather sensitive information but I don't have a background in security. I've actually learned a lot during the last year that I didn't know, mainly using Ubuntu Command Line, modifying web server configurations in addition to setting up the network/router for the server, and creating the databases and programming the web app, but I'm not experienced in network or computer security. I'm obviously aware of and prevent SQL injections but other than that I'm sort of clueless and was wondering if maybe I should take a CE course on network and computer security...anyone any thoughts?
> Is it expected that all software engineers are knowledgable in computer and network security
Honestly, at least in larger companies, it is expected developers know how to write in what ever language the company works in and that's it. I don't even think that they have to know how to turn their own development machine on.
They don't understand simple security practices. They don't understand that they don't need root for their build process. They don't understand their code should not require root to run. They don't understand why there are access controls on anything.
If you learned any of that, even just the basics of system and network security practices, you would be head and shoulders above most other candidate anywhere for any development position. Nothing you do exists in a vacuum. Knowing a little bit of how the bigger picture relates to your specialty area is a benefit.
However if you don't really have time, don't worry about it. A good amount of healthcare software has horrible security at the software level so it's obviously not that important to them.
As someone who has worked on the "other side of the aisle" (I worked at a healthcare startup as a production support and network engineer) I'd say absolutely, you should try to learn as much as you can about secure coding practices.
Trying to "duct tape" Apache's mod_security in front of an insecure webapp is no picnic... it would've been much cleaner to clean up the code base, but because the code was 10+ years old, the level of risk in changing that much code was deemed too high, and we needed fixes NOW (a customer was scanning us and finding SQL injections) we ended up standing up mod_security on the DMZ web servers we had.
Please learn secure coding practices! Worst case it will make you a more valuable dev.
[+] [-] fatalerrorx3|14 years ago|reply
[+] [-] mhurron|14 years ago|reply
Honestly, at least in larger companies, it is expected developers know how to write in what ever language the company works in and that's it. I don't even think that they have to know how to turn their own development machine on.
They don't understand simple security practices. They don't understand that they don't need root for their build process. They don't understand their code should not require root to run. They don't understand why there are access controls on anything.
If you learned any of that, even just the basics of system and network security practices, you would be head and shoulders above most other candidate anywhere for any development position. Nothing you do exists in a vacuum. Knowing a little bit of how the bigger picture relates to your specialty area is a benefit.
However if you don't really have time, don't worry about it. A good amount of healthcare software has horrible security at the software level so it's obviously not that important to them.
[+] [-] ericgearhart|14 years ago|reply
Trying to "duct tape" Apache's mod_security in front of an insecure webapp is no picnic... it would've been much cleaner to clean up the code base, but because the code was 10+ years old, the level of risk in changing that much code was deemed too high, and we needed fixes NOW (a customer was scanning us and finding SQL injections) we ended up standing up mod_security on the DMZ web servers we had.
Please learn secure coding practices! Worst case it will make you a more valuable dev.
[+] [-] spydum|14 years ago|reply