Security practitioners know that the security of the software in use by consumers and enterprises is critical to running a hardened security program. Yet, when considering who belongs to the security practitioner “community,” few people would include software developers or architects in that group—despite the push for DevSecOps over the years. Software developers and architects are on the front lines of security, but landing a job in the profession doesn’t always mirror a more “traditional” role, like CISO or security admin. But in many ways, the pathways to these roles include similar steps.
In this Q&A for our series “How I Became….” on InfoSec Insider, we spoke with Jeff Bohren, Senior Software Architect at Optimal IdM, about his journey to where he is today. Working for a security solutions provider, and given his background and experiences, Jeff certainly keeps security at the forefront of his work. Below he shares a bit of insight on his career progression to date.
My first job after graduate school was developing mapping software for a small defense contractor, mostly working for the Swedish Air Force. I had a Master’s Degree in aerospace engineering and fell into software by accident. I really didn’t start working on security until almost 10 years later when I was put in charge of the security for an account provisioning product. I have been working on security and identity management ever since, about twenty years now.
No, it has definitely been an on-the-job training experience. Early in my career I would spend time outside of work teaching myself new programming languages. From there I studied software development theory, such as Agile Development, which is a fascinating field. As I started working on software architecture, I studied subjects like web application security, networking, internationalization, federation, and cryptography. The key is to always keep learning.
I have been involved in identity management product development for nearly 20 years. I find identity management presents an interesting set of challenges that are central security. You really can’t work on identity management without being involved in security, and to some extent the opposite is true as well. Remember, you can’t secure what you can’t manage, and you can’t manage what you can’t identify.
In addition to standard software architecture theory, in the identity management space you need to learn cryptography and digital signatures, and then web application security. These skills form the bedrock for standard federation, authentication, and provisioning protocols.
Another important but unappreciated skill is internationalization. You don’t have to be able to translate your product into another language, but you must provide the capability for someone else to do so.
Most people would not expect how often software architects need to think like a bad guy. Your first instinct when you see a new feature or technology should be to ask, “That’s great, but how could I use it for evil?” You must think that way to stay ahead of the bad guys.
Jeff will be presenting a breakout session entitled, "Bridging the Protocol Gap on Cloud Identity Projects" at InfoSec World Conference in Orlando, Florida, March 19-21, 2018.