One of my colleagues referred to the current hiring situation for app sec folks as being analogous to looking for Apache webmasters in 1994.
In his movie "He Got Game", Spike Lee cast NBA player Ray Allen in the lead role because he said that it was easier to teach basketball players to act than to teach actors to be realistic in basketball scenes. In my experience, I have seen companies generally have more success training architects and developers in security rather than teaching security people (e.g. Network security and auditors) about software and development. Partly, developers have more street cred with the end audience/consumer which is developers. Software security is really a set of software design patterns so the development background helps to know when and where to apply the security mechanisms - is this a design thing, a process thing, a component thing, and how do I engineer it, etc... Whatever the person's background the effort level and interest is the key to success, cf. Robert Deniro in Raging Bull. -gp On 6/4/06 10:29 AM, "ljknews" <[EMAIL PROTECTED]> wrote: > At 10:38 AM -0400 6/2/06, McGovern, James F (HTSC, IT) wrote: > >> Figured I would ask the list a question that I haven't figured out the >> answer to. How have other enterprises that seek architects and developers >> knowleedgable in secure coding software development practices articulated >> it to their internal HR recruiting arm? We have been seeking candidates >> with this background but haven't ran across much on our side of town. > > Are you bringing something to the table to attract such people ? > > Or have you preconstrained the programming languages and techniques > to be used ? _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
