A quick pointer to an excellent article by Gunnar Peterson talking about his “He Got Game” rule. In short, you gotta have game with coding if you want to tackle securing code. This runs parallel to my thinking that you have to know how to code before you can know how to secure your code. Adrian Lane adds an excellent comment as well, at least from what I pulled from it (something about it’s wording made me need to read it 5 times…)
I’ll state there are always exceptions, but I’d say those exceptions are not the norm at all. At least you can say if someone is technical in one area, they *could* have a small headstart in tackling another technical area. In the end, just like having a security mindset is a huge help for a security professional, having an aptitude and experience in coding is a huge help for a dev security pro.
I could simply be failing by generalizing way too much. 🙂
The difference in all of this to me is: TRAINING/PRACTICE. Whether it is self-prescribed or work-prescribed, training makes a difference.
As far as his book recommendation, I have no idea about it, but I’d be willing to give it a flip-thru to see if I could grasp it and benefit from it.
* The older I get and the farther away I get from the analog world, the more I wonder how the hell we used to write and add emphasis without markup tages or non-standard type (**, bold, italics, all-caps…) Then again, without computers, thinking about what job I would be working now leaves me blank too…
I fully agree with respect to training and practice. As a responder, I encounter GCFA-certified analysts, but in many cases it seems that after they get the cert, they cease having any interaction with “the community”, and are often “stuck” at one level. In many cases, that can be detrimental to their work.