We often discuss how security-aware developers are hard to find and how important it is to build and nurture security champions within your organization in order to secure your code from the very start. It’s also no secret that security professionals, Application Security (AppSec) managers, security engineers, and penetration testers come in short supply, despite the exponentially growing need to secure our applications and data. 

Recently we interviewed some of the future leaders in the secure development or “DevSec” world and found their individual career paths into cybersecurity fascinating. For those of you out there wishing to become a security champion, jump into the elusive AppSec realm, or even just learn more about secure coding, here are the stories from three security professionals with a background in development, about how they got interested in security and the security lessons they wish every organization would follow.

Lexi Condon on finding the “aha moment” in her cybersecurity career

Lexi currently works at the department of health in AV and video conferencing. Lexi first came to the attention of Secure Code Warrior when she topped the leaderboard of a secure coding tournament during her time working as a unit tester at AMP bank. 

One day, her team lead noticed that had started to write code and suggested to her that she join the upcoming Secure Code Warrior tournament. It turned out that Lexi had a particular knack for security. 

“It was the most intense and fun tournament I’ve done with anything security (related).”

What sparked her interest in security? 

Lexi already had an interest in security, however, from her younger days when she learned that she could modify games and change code. That sparked her desire to learn more about security and she started to break into websites as part of her journey. 

She discovered during this time how to take advantage of vulnerabilities such as SQL injection, and she wanted to help companies understand such threats. That’s when she became a bit of an “ethical hacker” and began to reach out to organizations to let them know about their vulnerabilities and help fix them. 

“Security falls heavily in line with programming”

Lexi also tells us that by learning to understand how to penetrate code, you learn how to avoid making security mistakes and that “security falls heavily in line with programming”. 

What’s Lexi’s #1 security lesson?

Always get your code peer-reviewed and pen tested, you’ll regret it if you don’t. “If you don’t try to break what you make before it goes into production, you’re going to have some major problems.” 

She also notes that the entire company is working towards a common goal and the security team is not trying to take anything away, they are just trying to make everything safer. 

Watch the full video below: 

‍

Prajwal Shetty put security first to shape his career and mind

Prajwal Shetty is currently a senior technical lead, but only 10 years ago he was beginning his career and seeking out further security training. He found an interest in security early on in his career and realized it could help him to grow in both his cybersecurity career and personally. 

He started out by dabbling in security training on his own, including using the Secure Code Warrior platform to teach himself about common vulnerabilities. With an appetite to learn more, he pursued more formal security engineering training, which emphasized the need to consider security at every stage of the software development lifecycle (SDLC).

Implementing his security training at work

When Prajwal first started to implement the methodologies that he learned in his studies in his career, people were reluctant to get on board, because it was new to have processes around security in the development lifecycle and there was a lack of security understanding within the team. He says that the Secure Code Warrior platform  was able to help drive that change. 

After implementing training and driving a shift in culture, his colleagues now consider security from the beginning. And a bit of healthy competition within the team didn’t hurt. 

What’s Prajwal’s #1 security lesson? 

Focus on security as the very first aspect of development, which means implementing it from the start of the development lifecycle. Then continue to think about security at each and every stage. For example, when you’re thinking about requirements, think about the security requirements as well as the functional requirements. This way you don’t have to fix security issues later and risk damaging your reputation, losing clients, or working on the weekends.

Watch the full interview with Prajwal here:

Yalda Khosroshahi finds a passion for detecting and preventing software vulnerabilities

Yalda is currently a security engineer at Insider, but she originally studied software engineering as an undergraduate. She wasn’t quite sure where she would go after graduation and what she would focus on, but that all changed when she attended a computer networks course. During the course, they got to a chapter about network security in which they learned about different types of cyberattacks, which sparked her passion for cybersecurity. And that’s when she thought about pursuing a career in security.

After the course, she decided to research the topic of software vulnerabilities further to learn more about how to detect and prevent such attacks and went on to pursue a master’s degree in cybersecurity. During her studies, she focused on the sources being used in DDOS (denial of service) attacks. 

On learning penetration testing

Although she studied network security and web security during her degree, Yalda soon realized that if she is going to prevent attacks, she needs to understand how hackers think. That’s when she decided to learn penetration testing. From that, she soon understood that with her combined programming and security experience, she could be a great asset to companies by helping developers implement a development process to build more secure products. 

And now that’s exactly what she is implementing in her current role. 

What’s Yalda’s #1 security lesson?

Have a zero-trust policy. And not just for developers, for everyone. You should always validate the source. For non-developers, this could be phishing attacks, for example. For developers, it could be from the client side. She says that we should never rely on the user’s input, because not everyone has good intentions.

“Sometimes developers think that security is hard or boring, but it’s not true, it’s just another version of coding.”

Watch the full interview with Yalda:

‍

Interested in learning more about secure coding?

Check out our product walkthrough.