Security for developer & architect background

RollTide

First a little about me... I' have 18+ years in IT. I started out in networking and got my MCSE, CCNA & Citrix CCA certs back in the NT/W2K days. Fast forwarding a few years, I decided to shift careers and get into development which was more interesting to me. I've been a web & application developer for most of my career and worked with just about every stack and language from C#, Java, JavaScript, Python, etc. For the past 5+ years, I've been mostly an architect which took me away from programming all the time but I could if I had to get my hands dirty. And of course, the last few years have been heavily based on cloud utilization with AWS & Azure from an enterprise application (both web, mobile and hybrid) point of view. For education, I have a bachelors & 2 masters. The masters are in IT management & computer science.

Although the word "security" was never in any title I possessed, it was always an integral part in any work that I did.... be it networking or development for web/mobile. Many of the companies I've worked for have 3rd party security scans done on newly developed apps and I was usually the one who had dialogue with those companies to help mitigate any vulnerabilities.

Basically what I'm getting at is that how many of you out here are like me where you aren't necessarily a "security" professional but have to deal with it on a daily basis? My reason for pursuing the SSCP and next the CISSP is not so I can go get a security job but instead to enhance my knowledge and fill in any gaps that I may have with respect to security. And of course, it is also a little bit of a buffer to have that SSCP or CISSP in the resume to make you stand out in a pile of resumes. Has anyone else taken this approach in their mid-careers or am I going overboard and shouldn't really care and go on my experience? Also want to point out that I may start my own consulting business which I think the certifications I have would really be helpful. Especially any security certs.

Thanks...

renacido

Here are a couple of ideas:

You might look into CSSLP (Certified Secure Software Lifecycle Professional)
from ISC2:

https://www.isc2.org/csslp/default.aspx

It focuses on application security and vulnerability management.

There are also a couple of cloud security certs, CCSK and CCSP. OWASP has been trying to get something going for a certification program but not sure where they are with that. And GIAC has app security certs but they are tech-specific, one for .NET and one for Java.

Hope this helps. SSCP and CISSP aren't bad to have either of course.

RollTide

Thanks for the response. I did come across the CSSLP, CCSP and GWEB. These certs are certainly on my radar and will eventually pursue them. However, the CISSP seems to be the flagship security cert everyone is raving about so might go after that soon, considering there is a overlap with the SSCP which I recently took and still fresh on my mind.

Anyone else out there with a developer background that is getting more into security?

dou2ble

All the Microsoft "Engineer" consultants I've worked with are required to get the CISSP. When I worked in Big 4 anyone in IT audit had to get CISSP or CISM. Many Cisco engineers also get the CISSP. This tells you that CISSP isn't just for security professionals. I think you've got a good game plan.

RollTide

dou2ble wrote: »

All the Microsoft "Engineer" consultants I've worked with are required to get the CISSP. When I worked in Big 4 anyone in IT audit had to get CISSP or CISM. Many Cisco engineers also get the CISSP. This tells you that CISSP isn't just for security professionals. I think you've got a good game plan.

Thanks dou2ble. I notice in your signature that your goal for 2015 is Masters in Cyber Security. How is that going and where are you taking it?

dou2ble

I'm doing National University online. They're non-profit and so far I've liked the curriculum. They're also one of the NSA schools of excellence. Not to stroke my own ego but I have found it to be quite easy but the homework still takes time...which I guess when one is at a Sr level then a graduate class shouldn't be tough. A lot of it is a refresher but each class so far has still had specific assignments that have challenged, interested and taught me. For example Wireshark, sql injection, Kali Linux, Snort and other software that in security engineering I don't get to play around with much.

B99101146

I have very similar background like yours and I opt for CSSLP (just booked the exam date for 2015) as it just resonates better considering SDLC exp I have. For me it was easier choice as when I asked my self why not cissp and csslp then I went ahead and spend sometime reading the isc2 website and it clearly describes each cert and which one fits better for what audience.

Interestingly I used sscp prep material just for my education (I do have masters in CS) and it was good learning but frankly being from software engineering background I tend to gravitate more towards cert like Gweb (or others that are more hands on) which target predominantly the developers.

RollTide

Thanks B9. I agree with you that the CSSLP best compliments our experience. If both the CSSLP & CISSP were at the same level of popularity, I would for certain go for CSSLP without giving it a second thought. However, since the CISSP has this reputation of being the lord of all security exams, I am in this conundrum. I just want to get the most bang for my buck. I suppose in the long run, it doesn't matter since I was going to go for both exams anyway eventually. It's just a matter of which one first.

dou2ble

RollTide wrote: »

Thanks B9. I agree with you that the CSSLP best compliments our experience. If both the CSSLP & CISSP were at the same level of popularity, I would for certain go for CSSLP without giving it a second thought. However, since the CISSP has this reputation of being the lord of all security exams, I am in this conundrum. I just want to get the most bang for my buck. I suppose in the long run, it doesn't matter since I was going to go for both exams anyway eventually. It's just a matter of which one first.

May I suggest looking at job postings that you're interested in or fit the type of job you'd do, and see which cert they list?

RollTide

I'm not really looking for a new job.. just expanding my security skills and filling in gaps. Ultimate goal is to have these certs on the resume to eventually go out on my own as a consultant. I won't be necessarily doing security work but the cert shows that I can approach software development or cloud implementation with a security hat on.

Navdeepaggarwal

This is really a tough call as to decide which cert. first? I am also in the same boat, where I have spent 7 years of my professional career in software development. Though I am not much exposed to various technologies, my exposure remains limited to IBM mainframes and unix. Still I was(am) interested and involved with security guys. Slowly I have been moved into creating an application for Identity &Access Management and from there I was considering myself into core security.

In last couple of months, I have been actively looking for security certifications and have managed to complete ITIL and CCSK. Considering cloud to be the next big thing. During this process, I have come across CISSP and CSSLP. As RollTide mentioned, our experience and background suggests us to go for CSSLP, but keeping the market recognition in view, CISSP is a must for any security guy.

In my case, since my employer is not funding the certs. at this stage, I really have to be very specific in choosing the right certification, as I had already paid for CCSK and ITIL.

So asking the same question here, which certification will be more useful/helpful out of CISSP or CSSLP. CCSK is also very similar to CISSP as it also covers all 10 domains like CISSP. So I have one advantage of having fresh memories of CCSK.

Thanks in Advance

Navdeep Aggarwal