Hiring folks that are familar with SC practices

[gunnar at arctecgroup.net (Gunnar Peterson)]

One of my colleagues referred to the current hiring situation for app sec
folks as being analogous to looking for Apache webmasters in 1994.

In his movie "He Got Game", Spike Lee cast NBA player Ray Allen in the lead
role because he said that it was easier to teach basketball players to act
than to teach actors to be realistic in basketball scenes.

In my experience, I have seen companies generally have more success training
architects and developers in security rather than teaching security people
(e.g. Network security and auditors) about software and development. Partly,
developers have more street cred with the end audience/consumer which is
developers. Software security is really a set of software design patterns so
the development background helps to know when and where to apply the
security mechanisms - is this a design thing, a process thing, a component
thing, and how do I engineer it, etc... Whatever the person's background the
effort level and interest is the key to success, cf. Robert Deniro in Raging
Bull.

-gp

On 6/4/06 10:29 AM, "ljknews" <ljknews at mac.com> wrote:

> At 10:38 AM -0400 6/2/06, McGovern, James F (HTSC, IT) wrote:
>
> > Figured I would ask the list a question that I haven't figured out the
> > answer to. How have other enterprises that seek architects and developers
> > knowleedgable in secure coding software development practices articulated
> > it to their internal HR recruiting arm? We have been seeking candidates
> > with this background but haven't ran across much on our side of town.
>
> Are you bringing something to the table to attract such people ?
>
> Or have you preconstrained the programming languages and techniques
> to be used ?