[elorant]

While on the subject and since you're an expert in the field, there's something that's nagging me. How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it.

[susam]

I am not sure why you are getting downvoted. You have a very valid question.

There are many different kinds of security roles such as risk, compliance and security reviews (very little programming), penetration testing (programming and scripting to various degrees depending on the work) and security software development (full-time programming).

How good one is at programming would of course usually depend on the individual. In the rest of the software industry, there are all kinds of roles (some of which involve programming and some do not) and the ones that do involve programming have programmers of all kinds and calibre. It is no different in computer security.

I have over 12 years of experience in this field now in various positions where my various colleagues and I have written large security products in C, C++ and Java, as well as smaller security solutions in Python and Go. Most of the times programming is just a means to an end which is true for many other fields as well. It is usually math, algorithms, crypto, protocols, etc. that are more interesting and that we need to be well versed with along with being skilled at programming. Also, I would like to share two of my earlier posts around this subject:

- https://news.ycombinator.com/item?id=14873475 (about demand and job prospects in security software development)

- https://news.ycombinator.com/item?id=12545851 (about math and software development in the computer security field)

[watwut]

I haven't downvoted, but "How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it." sounds trollish to me. Designed to elicit emotional response from people as they will try to defend security people.

[toomuchtodo]

I’m a mid level security architect (governance, risk, compliance) and I’m a below average developer, coming from DevOps/infrastructure before. In my security roles, no development or software engineering skills are required.

I might work on improving eventually, it's just not a priority. Any upward trajectory now is going to be from experience and soft skills.

[artie_effim]

pretty bad - hack it together with docs and stack exchange really. I did manage to deploy an app with a django, nginx, gunicorn stack which doesn't crash, so there's that. But as far as good coding skills, I don't really have any - but I'm learning as I go. I also have full management support for this, which is nice, but very rare. I more so play around with pandas and matplotlib to get what I need - pretty much just a step above shell scripting.

[spydum]

I think it's pretty risky to try to categorize all infosec people into one ranking.. But I will say most folks I bump into are not writing code for maintainability, or necessarily efficiency. Most of us stick with GEMO (good enough move on). thst being said, there are always outliers