Time to update knowledge

This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need help, including helping me with code snippets that are in a modern paradigm.

I don’t care what technologies you choose, but your code reviews will not be using Type 1 JSPs or Struts for that much longer – if at all. Time to upskill!

I suggest:

  • Ajax anything. Particularly jQuery and node.js. GWT is on the wane, but still useful to know
  • Spring Security, Spring Framework and particularly Spring Web Flow are essential skills for any code reviewer doing commercial enterprise code reviews
  • .NET 4.5 and Azure are killer skills at the moment, particularly as Windows 2012 has just been released. Honestly, there is a good market to be a specialist just in this language and framework set, as it’s literally too large for any one person to know.
  • Essential co-skills: Continuous integration, agile methodologies (you have updated your services to be agile aligned, right?), and writing security unit tests so your customers can repro the issues you find.

It’s important to realise that good code reviewers can code, if poorly. Poor code reviewers don’t code and have never written a thing. Don’t be a bad code reviewer.

I do not suggest Python, Ruby on Rails, or PHP as these are rare skills in the enterprise market, but if they scratch your itch, go for it, but be aware that these skills do not translate out to commercial code review jobs. The fanbois of these languages and frameworks will hate on me, but honestly, there’s no reason to learn these languages except for the occasional job here and there, and if you’re any good at the list above, PHP in particular is easy to pick up. Fair warning, it’s a face palm storm waiting to happen.

Published by vanderaj

Just another security geek

Join the Conversation


  1. Andrew, great post but I strongly disagree when you say (rather than I don’t hate you also if I’m a ruby fanboy =) ):

    I do not suggest Python, Ruby on Rails, or PHP as these are rare skills in the enterprise market, but if they scratch your itch, go for it, but be aware that these skills do not translate out to commercial code review jobs.

    A lot of websites are built using frameworks based on the aforementioned languages too and an attacker can brake them to result at least in a brand damage for a company or even in a direct intrusion if the architecture will permit it.

    It’s not a matter of languages I think. A good code reviewer must love to craft software too. It should be able to write a web app using the best language to achieve the best result with the minimal effort.

    For a big enterprise there is also the web agencies threats as I wrote in my blog. It’s not that rare that big companies ask for security clueless web agencies to put online a website to make offering to customers or just to show a product. Such as web agencies won’t start (in my experience) a J2EE project or .NET one since it’s too expensive in terms of development effort and hosting. They would fireup a PHP powered wordpress with some custom code and the big company security team must be skilled enough to be able to code review also such kind of internal assets.

    IMHO based on my daily job experience, of course.


  2. Paolo, I knew when I wrote it, I would be courting controversy. It’s like the Android fanbois here – over 80% of the Australian smartphone market is Apple. If you target Android you will starve. It’s a very fluid situation. The thing is that the security gotchyas from Django and RoR are simply not transferrable to any other framework. I think of any clueful security person I know, and I know we can pick up new concepts, frameworks and languages very fast and easily.

    However, learning one of the more obscure ones first doesn’t really serve my purpose. It’s been a LONG time since I’ve seen PHP code in commercial engagements (~ 4 years and less than 10 engagements total in my entire code review career), and yet it powers > 65% of the world’s web apps. I would love for more PHP work as it’s my favorite language, but enterprises just don’t use it in any significant numbers. I don’t want folks starving!

  3. @vanderaj For sure Andrew I see your point of view from a people in an company appsec team member point of view.

    From a security contractor, for sure addressing J2EE and .NET first can give more chances of being engaged by a big company.
    Please note that there are (at least in Italy) tons of J2EE app written with very old language version and frameworks that they can’t be upgraded due to compatibility matters.

    It’s a tricky situation.

  4. As I’m sure you knew it was flame bait when you wrote it I feel obliged to flame.

    I spent this summer job hunting. With the exception of not wanting to work with languages such as APL or COBOL, my hunt was language agnostic. I didn’t keep score but I had nearly as many Ruby interviews as I did Java interviews. That said, the Ruby companies were mostly start-ups while many of the Java companies were well-established entities.

    This may be an atypical sampling as the metro-Boston area has a lot of MIT start-ups that tend towards the cutting edge.

    And, whether or not Ruby is useful getting employment seems trivial to the fact that Ruby has become the heart of the FOSS community. It is perhaps best exemplified on Mac OS X. There you frequently use the Ruby package manager, homebrew to install a Ruby open source application that is hosted on Github, a Ruby site.

    That’s an awful lot of trust based on Ruby apps.

    To conclude my flaming, I argue that Ruby is the most important language for security professionals to be learning as Ruby usage has far outpaced security expertise in Ruby.

    Neil Smithline

Leave a comment

Your email address will not be published. Required fields are marked *