Can They Code? | Eric Alexander

November 12, 2017

Can They Code?

We have a coding skill set requirement for engineering candidates at The Trade Desk. It’s a requirement for everyone from our DBAs to our Information Security Engineers.

I can probably guess what you may be thinking. Let’s get some common arguments out of the way.

“Software Engineers should focus on writing code. Let me focus on my discipline”

“There’s a shortage of InfoSec candidates. Why further limit the talent pool?”

Both are valid arguments that are hard to disagree with. This is my value proposition for why coding is a crucial attribute for any engineering discipline, especially InfoSec: Coding is a skillset that returns value in the form of a force multiplier and is needed to collaborate with the Software Engineering team.

The bar to write code is getting lower every year. It’s easy to learn and apply languages like Python, Ruby, and JavaScript. It’s become almost inexcusable for any human to do a routine task that could be easily automated. Mottainai! Code is a force multiplier tool. Those that know how to use the tool will achieve more in less time.

The force multiplier argument aside, how can we InfoSec practitioners effectively reduce security bugs if we can’t efficiently collaborate with Software Engineers? If we can’t understand the code that resulted in a bug, the inner workings, how can we possibly understand root cause? How can we efficiently drive remediation?

It’s inevitable a moment in your InfoSec career will arise that requires you to provide guidance to a Software Engineer. They’ll make a comment to the effect “can I just show you the code” and they’ll expect you to follow along. It’s one of those rubber meets the road moments. You’ve raised the alarm, they want to fix it, and they need your help. Failure to collaborate here will impact resolution and damage respect for future impact assessments.

Disagree? I get it. There’s always one more thing to learn and somebody convinced you should learn it. It’s exhausting. There’s still plenty of jobs out there on teams that don’t share this sentiment. Let’s agree to disagree on the value of understanding and writing code. Let’s agree that any effort to reduce risk is valuable regardless of how the work was done.

On board? Prefer to automate? Want to collaborate on InfoSec risks with Software Engineers? Reach out. We’re always looking for great people.

© Eric Alexander 2017