Is it expected that all software engineers are knowledgable in computer and network security or are this considered a different specialty? Reason I ask is that I'm working on a healthcare startup that deals with rather sensitive information but I don't have a background in security. I've actually learned a lot during the last year that I didn't know, mainly using Ubuntu Command Line, modifying web server configurations in addition to setting up the network/router for the server, and creating the databases and programming the web app, but I'm not experienced in network or computer security. I'm obviously aware of and prevent SQL injections but other than that I'm sort of clueless and was wondering if maybe I should take a CE course on network and computer security...anyone any thoughts?
Rivest's class is usually described as the "applied crypto" class (I haven't taken it, this is just what I've heard). The "systems security" class is 6.858:
http://pdos.csail.mit.edu/6.858/2011/
And there's another class (6.875, taught by Goldwasser or Micali) that is much more pure crypto than Rivest's class. In any case, 6.858 is super fun and probably the most useful for someone looking for practical security knowledge.
I audited this class (just showed up on the first day of class, not an MIT student, not registered). This class is probably the best class I've ever taken. I went from knowing a little about cryptography and computer security to doing novel computer science research (as one of the problem sets I broke a SHA3 candidate http://ethanheilman.tumblr.com/post/16944272296/shash ).
It isn't particularity "heavy and hard into cryptography", but it is very hands-on with many programming problem sets and puzzles to solve. It covers security from AES to secure voting to firewalls to buffer overflows to sql injection to physical security. This class will teach you to build more secure systems.
At the end of the course students present research projects. They are almost always worth taking a look at because they tend to be highly creative and fun (the MBTA "T" hacking talk at Defcon was originally a project for this class):
http://courses.csail.mit.edu/6.857/2010/pitches.html
This class is excellent and Ron Rivest is very friendly and very approachable. If you have a chance I would recommend taking it (or watching it online). If you have a background in programming you can take this course.
As someone who has worked on the "other side of the aisle" (I worked at a healthcare startup as a production support and network engineer) I'd say absolutely, you should try to learn as much as you can about secure coding practices.
Trying to "duct tape" Apache's mod_security in front of an insecure webapp is no picnic... it would've been much cleaner to clean up the code base, but because the code was 10+ years old, the level of risk in changing that much code was deemed too high, and we needed fixes NOW (a customer was scanning us and finding SQL injections) we ended up standing up mod_security on the DMZ web servers we had.
Please learn secure coding practices! Worst case it will make you a more valuable dev.
> Is it expected that all software engineers are knowledgable in computer and network security
Honestly, at least in larger companies, it is expected developers know how to write in what ever language the company works in and that's it. I don't even think that they have to know how to turn their own development machine on.
They don't understand simple security practices. They don't understand that they don't need root for their build process. They don't understand their code should not require root to run. They don't understand why there are access controls on anything.
If you learned any of that, even just the basics of system and network security practices, you would be head and shoulders above most other candidate anywhere for any development position. Nothing you do exists in a vacuum. Knowing a little bit of how the bigger picture relates to your specialty area is a benefit.
However if you don't really have time, don't worry about it. A good amount of healthcare software has horrible security at the software level so it's obviously not that important to them.
6 comments
[ 4.1 ms ] story [ 19.6 ms ] threadIt isn't particularity "heavy and hard into cryptography", but it is very hands-on with many programming problem sets and puzzles to solve. It covers security from AES to secure voting to firewalls to buffer overflows to sql injection to physical security. This class will teach you to build more secure systems.
To get a good idea of what the class is like check out the lecture list. http://courses.csail.mit.edu/6.857/2012/handouts
At the end of the course students present research projects. They are almost always worth taking a look at because they tend to be highly creative and fun (the MBTA "T" hacking talk at Defcon was originally a project for this class): http://courses.csail.mit.edu/6.857/2010/pitches.html
This class is excellent and Ron Rivest is very friendly and very approachable. If you have a chance I would recommend taking it (or watching it online). If you have a background in programming you can take this course.
Trying to "duct tape" Apache's mod_security in front of an insecure webapp is no picnic... it would've been much cleaner to clean up the code base, but because the code was 10+ years old, the level of risk in changing that much code was deemed too high, and we needed fixes NOW (a customer was scanning us and finding SQL injections) we ended up standing up mod_security on the DMZ web servers we had.
Please learn secure coding practices! Worst case it will make you a more valuable dev.
Honestly, at least in larger companies, it is expected developers know how to write in what ever language the company works in and that's it. I don't even think that they have to know how to turn their own development machine on.
They don't understand simple security practices. They don't understand that they don't need root for their build process. They don't understand their code should not require root to run. They don't understand why there are access controls on anything.
If you learned any of that, even just the basics of system and network security practices, you would be head and shoulders above most other candidate anywhere for any development position. Nothing you do exists in a vacuum. Knowing a little bit of how the bigger picture relates to your specialty area is a benefit.
However if you don't really have time, don't worry about it. A good amount of healthcare software has horrible security at the software level so it's obviously not that important to them.