More about a career in Secure System Development
You perform technical work to deliver software or hardware, including detailed technical design, coding or hardware prototyping, debugging and documentation. You follow technical specifications which lay out the requirements, including the security requirements set by the security architecture or design team. In a smaller organisation, you may also carry out some or all of the secure design work, setting this within the overall structure specified by the security architect. You probably design and carry out tests, although the substantive part of security testing will be carried out by a security testing practitioner or team.
If off-the-shelf components are integrated into the system (as they usually are), you need to develop a deep understanding of their potential vulnerabilities so as to mitigate these in your own code.
If you develop secure hardware, especially for Industrial Control Systems, you take into account physical threats as well as possible software-driven breaches. Even if you work purely on software, if that software will be part of a cyber-physical system, you think of the impact of potential physical access to remote parts of the system.
Your working day is generally quite structured: development plans direct your work, as well as the formal specifications and standards that you follow in carrying out the work. However, if there is a cyber security incident you're liable to be called in at short notice to help diagnose a newly exposed vulnerability or to propose changes to close it.
Depending on the size and type of your organisation, you may either be part of a formally structured team, co-ordinating with other specialist teams, or working in a smaller, less formal structure where you take on whatever tasks need doing. You probably use an agile development methodology, requiring fast but controlled cycles of development, testing and implementation.
You're probably required to follow a secure development methodology and standards, such as Secure by Design. You keep your skills in methodologies and standards updated as much as your coding skills, so there's continuous pressure to learn and to stay on top of changes in secure development principles, programming languages or hardware components, and development methods.
There are many more jobs in secure software development than in hardware-specific or hybrid roles, so you're much more likely to be working in a software role.
Working in this specialism, you deliver information systems that organisations use to carry out their mission, or which they supply to other organisations, while ensuring that those systems don't contain vulnerabilities that could create cyber security risks.
In detail, you may:
- interpret requirements to hardware or software products that meet them
- develop the products using components, tools, techniques and methodologies which minimise the chance of creating vulnerabilities in the products
- integrate their products into more complex systems, including cloud-based systems
- design, execute and report on tests of the products
- identify, investigate and solve errors in the products
- use sophisticated platforms, including cloud-based platforms, to carry out the development and testing
- produce documentation on the products to guide implementers, system operators and administrators and, sometimes, end users
- respond to change requests by updating the products, in some environments, very frequently
As a senior Secure System Development practitioner, you may also:
- be responsible for the overall delivery of products to the implementation team or customers
- ensure that the development environment and the related processes are secure against the leaking of sensitive data or code or breaches which might allow to malefactors to manipulate products to create vulnerabilities
- plan the work of practitioners
- set and monitor compliance with development standards, particularly ones concerned with security
- select and implement methods and tools
- monitor the effectiveness of the development process and identify changes which will improve performance
- recruit, train and assess practitioners
In some organisations there may be several levels of Secure System Developers, ranging from junior entrants (including apprentices) to senior developers, team leaders and section managers. Broadly speaking, however, there are two levels: practitioners and senior practitioners, who may work either as very experienced developers or as managers.
- tend to carry out all of the tasks of a developer, working to plans and standards set by managers and reporting fairly frequently to them
- may, in a small organisation, work alone, as the only secure developer, on aing broader range of tasks, from defining the requirements for products, designing them, implementing them in the live environment and, sometimes, even training and supporting users
- usually work in fairly large organisations, as part of a team, work on different elements of the same products - like normal software or hardware developers; in such structures, practitioners are likely to have more narrowly defined responsibilities and to be very largely focused on development
Senior practitioners with a lot of development experience:
- perform the same set of tasks but work on more complex products
- may have additional management responsibilities, in which case they will spend less of their time on development tasks
- logical thinking
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- software development
- hardware design and prototyping
- version control
- documentation of designs
- data protection regulations
- cloud development techniques
- configuring and implementing software and hardware security components, including cryptographic solutions
- secure development standards, such as Security Development Lifecycle
- 'agile' techniques, such as SCRUM and Continuous Development, Continuous Integration and Continuous Testing
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs).
C2 – Technical Security Architecture
- contributes to the development of Computer, Network and Storage Security Architecture, incorporating hosting, infrastructure applications and cloud based solutions as covered by the role of Chief Security Architect
- interprets relevant security policies and threat/ risk profiles into secure architectural solutions that mitigate the risks, conform to legislation and regulations and relate to business needs
- presents security architecture solutions as a view within broader IT architectures
- applies security architecture principles to networks, IT systems, Control Systems (e.g., SCADA, ICS)
- infrastructures and products
- devises standard solutions that address requirements delivering specific security functionality whether for a business solution or for a product
- maintains awareness of the security advantages and vulnerabilities of common products and technologies
- designs robust and fault-tolerant security mechanisms and components appropriate to the perceived risks
- uses appropriate methodologies and frameworks
C3 – Secure Development
- implements and updates secure systems, products and components using an appropriate methodology
- defines and/or implements secure development standards and practices including, where relevant, formal methods
- selects and/or implements appropriate test strategies
- defines and/or implements appropriate secure change and fault management processes
- verifies that a developed component, product or system meets its security criteria (requirements and/or policy, standards and procedures)
- specifies and/or implements processes that maintain the required level of security of a component, product, or system through its lifecycle
- manages a system or component through a formal security assessment
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
A Secure System Development practitioner requires a wide range of specialist skills, making it difficult to start a career in this specialism without substantial knowledge and experience. In particular, knowledge is required of some form of development , along with a reasonable level of practical understanding of the security risks and solutions in developing software or hardware technology products.
Generally, this means that the only roles that might have developed useful transferable skills, which could be augmented by specialist training, are those in other related areas of engineering and software development. Such roles include:
- software development
- engineering - especially electronic or production
- video games development
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Secure Systems Development role, you'll typically need knowledge from the KAs listed below, depending on the types of components on which you're working. If you work purely on software components, or purely on hardware, or on a combined hardware and software products, you'll have different knowledge requirements, as will someone working on web- or mobile-based components.
Few people working in this specialism need all of this knowledge. Depending on the details of your work, you'll need a very good understanding of some or, in a few cases, all of the Core Knowledge. The requirement for you to have a good understanding of relevant areas of the Related Knowledge will also depend on the focus of the work. Similarly, the requirement for you to a have a basic understanding of the Wider Knowledge, which provides context for your work, will depend on this focus.
Coming into such a role, you will not be expected to have all his knowledge initially, but you do need to have most of the Core knowledge relevant to your type of work.
Core knowledge (depending on the nature of the development work)
The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
Known categories of programming errors resulting in security bugs, & techniques for avoiding these errors - both through coding practice and improved language design - and tools, techniques, and methods for detection of such errors in existing systems
Security in the design, implementation and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
If you're working in a role which as responsibility for the security of industrial control systems (ICSs) you will also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
Operating systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multi-user systems, secure virtualisation, and security in database systems.
Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres and distributed ledgers.
Core primitives of cryptography as presently practised and emerging algorithms, techniques for analysis of these, and the protocols that use them.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
You might start in this specialism as an apprentice.
Alternatively, you might start as a graduate, with a degree in:
- electronic engineering
- software/computer engineering
- computer science
Or, you might move into a role in this specialism from another position in IT or from another specialist cyber security role:
For practitioner roles in software development, titles include:
- Secure Development Lifecycle Specialist
- Software Engineer
- Software Development Engineer
- Application Security Engineer
- DevSecOps Engineer
For practitioner roles in hardware/hybrid hardware-software development, titles include:
- Hardware engineer (although this also used for roles which do not require secure development)
- Electronics Design Engineer (Hardware)
- Platform Engineer (Networks)
For senior practitioner roles in software development, titles include:
- Engineering Manager - Secure Cloud
- Senior Security Engineer (Software Security)
- DevSecOps Lead
- Senior Software Engineer – Cybersecurity
For senior practitioner roles in hardware development:
- Senior Hardware Engineer (although this also used for roles which do not require secure development)
A Secure System Development practitioner might earn between £40,000 and £55,000 a year.
A senior Secure System Development practitioner might earn between £55,000 and £95,000.
These ranges are calculated from a survey of online job vacancies advertisements in March 2021. Most of these advertisements did not include salary figures, so the sample size is small and may not be representative of the salaries for such roles in all sectors or all regions.