How To Move From Development to Security

December 21, 2015

I’ve spent the past year and a half years learning that we need more developers who understand information security. If you look at the job market today, one of the hottest areas of information security is in application security.

One of the reasons application security is such a hot market is that to be effective in the security applications, you have to really understand how an application is built.

In the spirit of growing developers into application security professionals, I wanted to write a guide to provide developers some foundational knowledge on security.

My goal with this guide is not to make you an application security professional but to point you to key knowledge you should begin to learn. Each of these points should also drive you towards additional learnings as well.

Read the OWASP Top 10

There is no better place to start than with the the OWASP Top 10 ([link]( = OWASP_Top_Ten_Project)). The OWASP Top 10 outlines what are supposed to be the 10 most common application security vulnerabilities found. Are they the most common? Not for most organizations. But as a learning tool, it established the 10 most common things you should understand. The OWASP tool gives you a background but then also links to a significant amount of knowledge on each as well. This is definitely the first place to start.

Join an OWASP Chapter

Once you know the basics of the OWASP Top 10, you’re welcome at an OWASP Chapter meeting (link). (Actually, the OWASP members are so friendly, I doubt they’d care if you didn’t know about the Top 10 before showing up.)

The whole concept of OWASP is around linking development and security so it’s not only a great place to learn, it’s also a great place to network.

Watch a Video

We continue the OWASP trend with a video from Michael Coates, OWASP Board Member and Head of Security at Twitter. Michael gives a fantastic primer on everything a developer should think about with Application Security.

Change Your Thinking

As we engineer software, we often focus on abstractions and applications layers. For security, the focus is on inputs and outputs.

If you go back to review the OWASP Top 10, some of the biggest issues are a result of input and output mistakes. (Quick list: SQL Injection, Cross Site Scripting (XSS), etc.)

Also, as a developer, you think in Use Cases. How is someone supposed to use the application. As a security professional, we thinking abuse cases. How can someone abuse my application?

Just thinking through these two components can greatly impact your thinking on security.

Practice and Learn

Checkmarx put together an outstanding list of places to practice your hacking skills here.

I’m a big fan of getting your hands dirty and their list provides 15 different places to play around with.

There is only so much you can get by simply reading. You need to start playing around as well.

What have I missed?

For those who are already entrenched in application security, what resources would you provide to an aspiring application security professional? What did I miss? Shoot me an e-mail at