Secure System Development is the development and updating of a system or product, in conformance with agreed security requirements and standards, throughout its lifecycle.
Secure System Development performs the technical work to deliver software or hardware, including detailed technical design, coding or hardware prototyping, debugging and documentation. There are technical specifications that are followed, which lay out the requirements, including security requirements set by the security architecture or design team. In a smaller organisation, one person might carry out some or all the secure design work, setting this within the overall structure specified by the security architect.
If off-the-shelf components are integrated into the system, then it is important to develop a deep understanding of their potential vulnerabilities and mitigate these in code.
If secure hardware is developed, especially for Industrial Control Systems, then Secure System Development considers physical threats as well as possible software-driven breaches. Even if the work is purely on software, if that software will be part of a cyber-physical system, then it’s important to think of the potential physical access to remote parts of the system.
The working day is generally quite structured: development plans direct the work, as well as the formal specifications and standards that are followed to carry out the work. However, if there is a cyber security incident, then Secure System Development is liable to be called in at short notice to help diagnose a newly exposed vulnerability or to propose changes to close it.
Depending on the size and type of organisation, Secure System Development may be:
Agile development methodology is probably used, requiring fast but controlled cycles of development, testing and implementation. A secure development methodology and standards, such as Secure by Design is probably followed also. Skills in methodologies and standards will need to continuously be updated as much as coding skills, in order to stay on top of changes in secure development principles, programming languages or hardware components and development methods.
There are many more jobs in secure software development than there are in hardware-specific or hybrid jobs.
Secure System Development delivers information systems that organisations use to carry out their mission, or which they supply to other organisations, while ensuring that those systems don't contain vulnerabilities that could create cyber security risks.
In this specialism, you may:
With more experience, you may also:
For roles in software development, titles include:
For roles in hardware/hybrid hardware-software development, titles include:
For senior roles in software development, titles include:
For senior roles in hardware development:
A Secure System Development role might earn between £40,000 and £55,000 a year.
A senior Secure System Development role might earn between £55,000 and £95,000.
These ranges are calculated from a survey of online job vacancies advertisements in March 2021. Most of these advertisements did not include salary figures, so the sample size is small and may not be representative of the salaries for such roles in all sectors or all regions.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
Known categories of programming errors resulting in security bugs, & techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems
Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you will also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Related knowledge – you will need a solid understanding of these areas
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems.
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres and distributed ledgers.
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Wider knowledge – these areas will help to provide context for your work
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs).
C2 – Technical Security Architecture
C3 – Secure Development
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
A Secure System Development professional requires a wide range of specialist skills, making it difficult to start a career in this specialism without substantial knowledge and experience. Knowledge is required in some form of development, along with a reasonable level of practical understanding of the security risks and solutions in developing software or hardware technology products.
Generally, this means that the only roles that might have developed useful transferable skills, which could be augmented by specialist training, are those in other related areas of engineering and software development. Such roles include:
From a role in this specialism, you might take a position in one of these other cyber security specialisms:
Or, you might take up a more senior role in Secure System Development.
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below: