The role as software security developer is a relatively new role, and has its origins from Bekk’s security initiative. But how does a software security developer differ from a “regular” software developer?
4 min read
By Lars Sørensen
December 20, 2023
As a part of Bekk’s security initiative, I have had the pleasure of stepping into the role as a software security developer. Bekk envision the role to fill the gap between traditional software development and hardcore penetration testing/GRC work, and the role is therefore perfect for people who want to work in the intersection between traditional software development and cybersecurity. This does not exclusively involve bringing security into the development process, as it is already done to a very high extent in most teams. A security developer is more of a bridge builder between the security work done at management level and the security work done by the product teams, with the goal of highlighting ownership for the solutions for product teams.
Every day brings a new challenge. In our team, we work with security at the operational, tactical, and strategic levels. The goal is to create a bridge between the security work of developers and the security work of management. In my case, the work has varied from regular backend development, securing APIs with OAuth2/OIDC, and pen-testing other products in the organization. The team’s vision is also that by developing an app for the customer, we build up first-hand experience of which processes can quickly lead to security vulnerabilities. Therefore, my work also involves mitigating these pain points in the development process as well as establishing security best-practices.
Keeping up with everything is a challenge, as the security space is constantly changing with new vulnerabilities, exploits of zero-days, and other security breaches. The best tip is to participate in a larger community where competence and experiences are shared.
I pursued a master’s degree in information security, and I experience job opportunities as extremes. One either works exclusively in development or exclusively in security, in roles such as penetration tester or within GRC (Governance Risk and Compliance). I chose to become a developer because I like the creative part of the job, but was determined not to let go of security. I was quickly introduced to Bekk’s security initiative, and it was through this that I got the opportunity to step into the role as security developer for one of Bekk’s clients.
I have had the opportunity to work with several different tools. Earlier this fall, another team member and I conducted a low-key pen-test of another product in the organization. This was done to highlight basic vulnerabilities to the product team and to make pen-testing more tangible for them. The most important tool used here was Burp Suite, a network proxy that allows you to run automated scans, perform manual tests, and gives you access to several handy extensions, e.g. Active Scan++ and Turbo Intruder.
Our team is also developing an internal application that we want to secure. We do this through several different scanning tools such as GitHub’s Dependabot and CodeQL, imagescan with Trivvy, and scanning of running applications through Sysdig. This gives us insight into the attack surface at the various stages from code to running application.
In addition, we have recently used Istio, an open-source service-mesh, to secure our API endpoints at the platform level instead of the application level.
The last, but by far the most valuable tool we use every day is the security community at Bekk. When we get stuck or wonder how similar problems can be solved, there is a sense of assurance in being able to lean on a collective of people who are genuinely interested in security.
Taking my background into consideration, I feel lucky to have gotten the role as a security developer. It allows me to combine two fields that I find exciting and fun. Security may seem scary, but what I experience separates those who work in security from others is whether they let fear scare them or just jump in anyway.