Secure System Development performs the technical work to deliver software or hardware, including detailed technical design, coding or hardware prototyping, debugging and documentation. There are technical specifications that are followed, which lay out the requirements, including security requirements set by the security architecture or design team. In a smaller organisation, one person might carry out some or all the secure design work, setting this within the overall structure specified by the security architect.  

If off-the-shelf components are integrated into the system, then it is important to develop a deep understanding of their potential vulnerabilities and mitigate these in code. 

If secure hardware is developed, especially for Industrial Control Systems, then Secure System Development considers physical threats as well as possible software-driven breaches. Even if the work is purely on software, if that software will be part of a cyber-physical system, then it’s important to think of the potential physical access to remote parts of the system. 

The working day is generally quite structured: development plans direct the work, as well as the formal specifications and standards that are followed to carry out the work. However, if there is a cyber security incident, then Secure System Development is liable to be called in at short notice to help diagnose a newly exposed vulnerability or to propose changes to close it. 

Depending on the size and type of organisation, Secure System Development may be: 

1. part of a formally structured team, co-ordinating with other specialist teams, or 

1. working in a smaller, less formal structure where whatever tasks need doing are taken 

Agile development methodology is probably used, requiring fast but controlled cycles of development, testing and implementation. A secure development methodology and standards, such as Secure by Design is probably followed also. Skills in methodologies and standards will need to continuously be updated as much as coding skills, in order to stay on top of changes in secure development principles, programming languages or hardware components and development methods. 

There are many more jobs in secure software development than there are in hardware-specific or hybrid jobs. 

Secure System Development delivers information systems that organisations use to carry out their mission, or which they supply to other organisations, while ensuring that those systems don't contain vulnerabilities that could create cyber security risks. 

In this specialism, you may: 

• interpret requirements to hardware or software products that meet them 
• develop the products using components, tools, techniques and methodologies which minimise the chance of creating vulnerabilities in the products 
• integrate their products into more complex systems, including cloud-based systems 

• design, execute and report on tests of the products 
• identify, investigate and solve errors in the products 
• use sophisticated platforms, including cloud-based platforms, to carry out the development and testing 
• produce documentation on the products to guide implementers, system operators and administrators and, sometimes, end users 
• respond to change requests by updating the products, in some environments, very frequently 

With more experience, you may also: 

• be responsible for the overall delivery of products to the implementation team or customers 
• ensure that the development environment and the related processes are secure against the leaking of sensitive data or code or breaches which might allow to malefactors to manipulate products to create vulnerabilities 
• plan the work of colleagues  
• set and monitor compliance with development standards, particularly ones concerned with security 

• select and implement methods and tools 
• monitor the effectiveness of the development process and identify changes which will improve performance 
• recruit, train and assess others 

Job Titles 

For roles in software development, titles include: 

• Secure Development Lifecycle Specialist 
• Software Engineer 
• Software Development Engineer 
• Application Security Engineer 
• DevSecOps Engineer 

For roles in hardware/hybrid hardware-software development, titles include: 

• Hardware engineer (although this also used for roles which do not require secure development) 
• Electronics Design Engineer (Hardware) 
• Platform Engineer (Networks) 

For senior roles in software development, titles include: 

• Engineering Manager - Secure Cloud 
• Senior Security Engineer (Software Security) 
• DevSecOps Lead 
• Senior Software Engineer – Cybersecurity 

For senior roles in hardware development: 

• Senior Hardware Engineer (although this also used for roles which do not require secure development) 

Salaries 

A Secure System Development role might earn between £40,000 and £55,000 a year.  

A senior Secure System Development role might earn between £55,000 and £95,000. 

These ranges are calculated from a survey of online job vacancies advertisements in March 2021. Most of these advertisements did not include salary figures, so the sample size is small and may not be representative of the salaries for such roles in all sectors or all regions. 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Secure System Development. 

Core knowledge – you will need a very good understanding of these areas 

Secure Software Lifecycle 

The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.  

Software Security 

Known categories of programming errors resulting in security bugs, & techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems 

Hardware Security 

Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness. 

If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you will also need: 

Cyber-Physical Systems Security 

Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures. 

Related knowledge – you will need a solid understanding of these areas 

Operating Systems & Virtualisation Security 

Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems. 

Distributed Systems Security 

Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres and distributed ledgers. 

Cryptography 

Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them. 

Web & Mobile Security 

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models. 

Wider knowledge – these areas will help to provide context for your work 

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Skills 

Personal attributes 

• problem-solving 
• team-working 
• logical thinking 

• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• software development 
• hardware design and prototyping 
• version control 

• documentation of designs 
• data protection regulations 
• cloud development techniques 
• configuring and implementing software and hardware security components, including cryptographic solutions 
• secure development standards, such as Security Development Lifecycle 

• 'agile' techniques, such as SCRUM and Continuous Development, Continuous Integration and Continuous Testing 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs). 

C2 – Technical Security Architecture 

Principles: 

• contributes to the development of Computer, Network and Storage Security Architecture, incorporating hosting, infrastructure applications and cloud based solutions as covered by the role of Chief Security Architect 

• interprets relevant security policies and threat/ risk profiles into secure architectural solutions that mitigate the risks, conform to legislation and regulations and relate to business needs 
• presents security architecture solutions as a view within broader IT architectures 
• applies security architecture principles to networks, IT systems, Control Systems (e.g., SCADA, ICS) 
• infrastructures and products 
• devises standard solutions that address requirements delivering specific security functionality whether for a business solution or for a product 

• maintains awareness of the security advantages and vulnerabilities of common products and technologies 
• designs robust and fault-tolerant security mechanisms and components appropriate to the perceived risks 
• uses appropriate methodologies and frameworks 

C3 – Secure Development 

Principles: 

• implements and updates secure systems, products and components using an appropriate methodology 
• defines and/or implements secure development standards and practices including, where relevant, formal methods 
• selects and/or implements appropriate test strategies 
• defines and/or implements appropriate secure change and fault management processes 
• verifies that a developed component, product or system meets its security criteria (requirements and/or policy, standards and procedures) 

• specifies and/or implements processes that maintain the required level of security of a component, product, or system through its lifecycle 
• manages a system or component through a formal security assessment 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

A Secure System Development professional requires a wide range of specialist skills, making it difficult to start a career in this specialism without substantial knowledge and experience. Knowledge is required in some form of development, along with a reasonable level of practical understanding of the security risks and solutions in developing software or hardware technology products. 

Generally, this means that the only roles that might have developed useful transferable skills, which could be augmented by specialist training, are those in other related areas of engineering and software development. Such roles include: 

• software development 
• engineering - especially electronic or production 

• video games development 

Linked Specialisms 

• Security Testing 
• Secure System Architecture and Design 

Moving On 

From a role in this specialism, you might take a position in one of these other cyber security specialisms: 

• Secure System Architecture & Design 
• Digital Forensics 
• Security Testing 
• Vulnerability Management 

Or, you might take up a more senior role in Secure System Development. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training