Tuesday, October 13, 2009

Which is Easier?

I am way behind on my security podcast listening and I just listened to an OWASP podcast that discussed Gunnar Peterson's post recommending the book Enterprise Application Architecture by Martin Fowler. A former manager who is now an enterprise architect thought it was a good book, but it was interesting to see it recommended by a security professional.

This raised the thought in my mind about whether it was easier for a developer to learn security or a security professional to learn development. I am definitely biased (since I come from a strong development background), but I think training a developer is easier. I have taught so many programming classes where people struggled with simple loops and conditional structures that I am convinced it takes a mindset to understand development.

I do have a hard time understanding how people can't understand it, since I took right too it, but I know not everyone finds it as straightforward as I did. It is like the struggles I had with chemistry lab in college. I did well, but I never could get the results within the "A" range (though I could ace the tests) no matter how much effort I put into it. Physical chemistry is not my strength. In the same way, some people struggle with understanding key programming concepts.

I did have some experience with system administration; including work on Mac, Windows and Unix, though I never worked as a sysadmin. Putting in your own ISDN line did take some technical chops, since it required so much manual configuration at the time, so perhaps I am not the "pure developer" I think.

Interesting question, though we probably need to focus on training developers on security regardless, since a lot more developers are out there. We don't have enough security people to go around to get really strong application security, if we can ever reach that goal as a society.