Think Like a Software Engineer

Think Like a Software Security Professional

Thoughts on evolving our professions in the midst of doing them,

by Susan Sons


This talk will be most useful to software developers and those who manage, teach, and mentor them.  However, anyone with an interest in information security or where software comes from may find some of the material approachable.

About Me

I'm Susan Sons, a Senior Systems Analyst from Indiana University's Center for Applied Cybersecurity Research.  I've become a jack-of-all-trades sort of security engineer, but my first love was software engineering, as I came up among some wonderful old-school systems programmers.

Computer science is not software engineering.

Computer science asks what is possible.

Software engineering makes things possible...

  • on a budget

  • on schedule

  • despite personnel turnover

  • for users who have their own motives and constraints

  • using only the tools and techniques available

  • in a way that can actually be maintained

  • and won't fail too much or too dangerously

  • or make too many people angry

Code camp is not software engineering.

"Hands on" programming projects don't have:

  • to build reliably

  • to be portable

  • to be documented

  • to be usable

  • to be secure

  • to be maintainable

  • users

Curmudgeon engineer gripes about new recruits

Next at 11: water is wet!

Engineering used to be taught through apprenticeship.

Why doesn't this happen with software engineers?

  • The who
  • The how
  • The when, why, and where

Mentoring and being a Mentee in Software Engineering


A Model for Teaching, Learning, Doing, and Communicating Infosec