This interview was cross-posted from the Veracode Community.
Join us in congratulating Cris, the latest Secure Code Champion in the Veracode Community! The Secure Code Champion is an award that recognizes individuals with three championships in the Veracode Community’s Secure Coding Challenge competitions.
Cris is a principal-level Application Security engineer in a large global travel technology company. In this role, he focuses on application penetration testing and setting the strategy for migrating their apps over to Google Cloud. Before entering the security space, he was a software developer for five years.
In this interview, we asked Cris about this experience participating in the Secure Coding Challenges and his career change story. He talked about how he made the career switch from a developer to become a security engineer, and what he thinks is important for someone to be successful in this role. For developers considering a similar career move, he also shared the resources that he found most helpful.
About Your Experience in the Secure Coding Challenge
What brought you to the Secure Coding Challenge?
I got an email about the competition and I enjoy a good challenge.
What did you find most valuable in participating in the Challenge?
Since there were multiple languages, we were able to experience different solutions for a single bug class. That was helpful since most companies use many languages for their apps.
What’s your suggestion for participants to stand out in the competition?
Trust your instincts and be familiar with using a command line and coding project directory tree. As a security engineer, you'll need to be able to dig into your organization's code if you want to be able to help your developers succeed.
About Your Experience Becoming a Security Engineer
How have you grown from a software developer into a Security engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills?
I was a software developer for five years before I switched over to security. When I made the switch, I was focusing on penetration so I read as many bug bounty write-ups as I could find and watched many more YouTube tutorials. Hack the box and pentester academy have been very helpful in my learnings.
What are the top 3 qualities of a successful security engineer?
- Attention to detail:We are looking for bugs in code that work so you have to understand what makes a component vulnerable.
- Communication:The developers are going to push back sometimes so being able to communicate with them is key
- Vulnerability Knowledge:When the developers push back on a vulnerability you really need to have the knowledge of why it is important to fix it. It also helps if you can demonstrate how the vulnerability can be exploited.
Is there any tool, resource, forum/meet-up, or course you’d recommend for developers looking to break into the security world?
Read the disclosed write-ups at HackerOne and Bugcrowd. Also, here is a link to a great repo that gathered a lot of write-ups. https://github.com/devanshbatham/Awesome-Bugbounty-Writeups
Questions about becoming a security engineer? Or, if you're a fellow security engineer, let's connect! You can follow me on Twitter @Nimbus689 or connect with me on LinkedIn. https://www.linkedin.com/mwlite/in/cristobal-rodriguez-03b3b079