SSSE Domain 5 – Software Engineering

November 23, 2006

A great security engineer doesn’t really need to BE a software engineer – they just need to know how one thinks, and the important concepts that a software engineer knows. The reason for this can be seen in almost all risk assessment and analysis – in order to understand the risk that a piece of software presents, the engineer needs to have a fundamental understanding of how it was designed.

For that reason, we focus on software engineering principles in this domain rather than on a specific language. The goal is to understand concepts like handling user input, the purpose of encapsulating functions, and how software is designed. This can allow the engineer to internalize the concepts of software design and implementation, so that they can ultimately intuit a back-end design from seeing the implementation (which is a trait that all brilliant reverse engineers and vulnerability researchers have).

That said, it is important that the engineer has spent some time coding – for that reason, study within this domain should include some time spent learning a programming language and becoming proficient in developing some sort of software (whether a 100-line script or a 10000-line application) – the value of actually doing something with software can’t be over-stated in learning these skills.

Required Text

Code Complete – I read this book first after my freshman year in computer science at the University of Toronto for summer reading, and it really moved me from understanding coding to understanding software – Steve McConnell takes you through all of the interesting and important concepts of developing good software, from design all the way to style. This one is a brilliant introduction to understanding what software really is.

Supplemental Texts

Software Engineering – The Pressmans have written the soup-to-nuts reference on software engineering here. This one’s worthwhile to have it on your shelf, if only because the answer to just about any question that you’d want to ask lives in here.

Some text on coding in a language of your choice – I’m not going to recommend a text on coding here, because there are many good ones for each of the languages that you might pick. If you’d like some help with deciding on a language to learn, leave a comment or drop me an email.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted by mmurray | Filed Under Uncategorized | Leave a Comment 

Teleseminar – Tech Skills, Creativity and Networking with Tim Keanini

November 23, 2006

The second episode of the Episteme IT/InfoSec Career Portfolio Teleseminar & Podcast Series will feature my brilliant colleague and friend Tim Keanini (aka TK) of nCircle Network Security.

I first met TK when he joined nCircle in 2001, and I was immediately amazed by his ability to synthesize technology and manage people. While lots of people are good at one or both, TK manages to combine the two in a way that is beyond rare. The longer I got to know TK, I realized that he does three things better than almost anyone else I have ever met.

  • In moving up the corporate laddder, he has managed to stay an incredible technologist, as well as maintaining his passion for technology
  • TK has an incredible ability to use “synthetic thinking” – he is as likely to pull a great technical idea out of a book on sociology or history as out of a technical book. He can use ideas from anywhere to start up his creative engine.
  • He has an incredible network of people around him – it’s impossible not to love TK, and so he makes friends where-ever he goes. It has created a group of incredibly smart people around him who are available to help whenever he needs it.

These are skills that just about anybody could use more of – and, while there are lots of books out there that claim to teach them (especially the third one), TK’s a natural at it. So, I asked him to come on and talk with me about all of the cool things that he does and all of the thoughts that he has about how he does what he does.

The teleseminar is going to take place at 1PM PST/4PM EST on Tuesday, November 28. Click here to sign Up For the Mailing List to get the call-in info.

If you have questions that you would like to see TK and I talk about, please leave them in the comments below.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted by mmurray | Filed Under Uncategorized | Leave a Comment 

The Social Imperative

November 23, 2006

Amrit had some great points the other day in his post that everybody’s quoting these days entitled Information Security Must Evolve. And he echoed some of the things that drove me to create the teleseminar series. From his article:

Security professionals must have a better understanding of the business they are hired to protect, must posses more soft skills such as communication and cooperation, and must evolve their skill against the dynamic threat environment and the evolving business infrastructure.

The importance of social and business skills can’t be underestimated – the reason that people like Amrit and Jim C are successful in their information security careers isn’t because of their brilliant technical skills. While they’re both technically competent, that’s not their real skill.

Their real skill is in understanding the changing currents in both business and in people, and understanding how to navigate those currents. Those are the skils that you really need to learn as you move through your infosec career.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted by mmurray | Filed Under Uncategorized | Leave a Comment 

Forget the Parachute, Let Me Fly the Plane

Learn the same processes that the most successful people follow to find the job of their dreams!

Get your copy now!

Read more...

Frustrated sending in your resume and getting no response? Sign up today for “10 Hidden Secrets of Successful Resumes”!

Recent Posts