Cal Evans, Gun.io’s Developer Evangelist, has been committed to providing valuable resources for software developers through conversations with experts. These have included Josh Holmes from Microsoft on public speaking, and Keith Casey, who previously served on the product team at Okta and as an early evangelist at Twilio on how to become a software architect.
Now, Cal brings us a conversation with Chris Cornutt, the Senior Product Security Engineer at Github on changing careers as a software developer. Chris shares his decision-making process for changing careers, how he laid the groundwork for a seamless transition, and what he wished he had known before switching from a full-time PHP developer role to product security.
We've outlined the key takeaways from Chris and Cal's conversation to help you set yourself up for a successful career change within the technology industry:
Why did you make a career change?
“Honestly, I got into a certain point in my career. At that point, I'd been doing PHP development strictly for maybe 12, 13 years and I kind of felt like I was plateauing a bit.
There was always new stuff to learn obviously, and new technology to mess with, but after a while, you start going through those cycles. It's like, “oh, new technology. I'm going to go learn about it. Okay. I'm done with learning about it”.
I'd always had an interest in security and I thought this would be a really interesting way to pivot my career because the aspect that I went into was application security.
You're still in the code. You're still working with other engineers and everything. It's just a little bit different perspective because you're really focusing more on that security aspect of it.”
What does your new role as the Senior Product Security Engineer at Github entail?
“The team that I'm on, it's actually the security partners team. We're focusing on internal training, potentially external training, and really trying to grow the security organization's role inside of the larger GitHub organization.
We’re reducing that friction level between the other security teams and the engineering staff. We're still feeling it out a little bit, what it's all going to entail. It’s more on the educational side, the instructional side, to really broaden the knowledge and share as much knowledge as we can with the rest of the organization from a security standpoint.”
Was your transition from PHP development to AppSec gradual?
“It was a little more of a gradual thing. Like I said, I'd always kind of had an interest in the security aspect of development and I didn't really get to pursue it very much early on.
Then, as my career started snowballing, it was just more focused on the high-tech side of things. It was a very conscious decision on my part to make that pivot in my career.
So it wasn't a huge shock. It wasn't like I was going into network security or physical security, where it was just completely different.
I carried over some of my [previous] knowledge because I had the familiarity with the development side, the architecture side of applications. It was nice to have that background and carry that forward.”
How long did the transition take from a full-time programmer to security?
“Probably about a year or a year and a half, something like that.
There was a role that I got over at HP. It was still doing programming, but it was in the security group. So, it was more focused on the security aspect of things.
Then, I ended up migrating from there to Salesforce. That was my first official application security role. That team was an interesting balance. We were still doing some development on the code base, creating tools that could help improve the security, and making security patches for applications that were running.
Then, as I moved on to Duo slash Cisco, it was more about the full-on application security, and then, it migrated a little bit from there.”
How did you prepare for your career change?
“I was thinking about making the move at the job that I was currently at. So, I thought, “Hey, I'm going to start learning about this. I'm going to start reading up as much as possible.” I had a baseline of knowledge, I knew enough to know that there was a lot that I didn't know.
So, I immediately started doing research. I started to listen to talks on YouTube and really understand what it meant to apply this stuff in the development context. So it wasn't just, “oh, I read in a book about cross-site scripting, so now I’m an expert”. We need to know how that usually shows up in applications and what we do to fix it.
After I got to a certain point, I was like, “okay, this is what I want to do”, and I looked for roles, applications, security roles, that I can move into. At the time, it was a natural flow.”
A lot of people worry about taking a pay cut or demotion when deciding to switch careers. Did you experience that when making your transition?
“I did. On the development side, I ended up getting up to a team lead. I was even a manager for a little while.
Whenever I did jump down or jump into the application security world, it was starting out as an application security engineer, which is basically the same as a junior to mid-range developer. Fortunately, the pay was pretty similar because the pay on the development side is pretty high for most folks, for the average role on that side.
Unfortunately, the security world is pretty similar. Super big demand for people on both sides of the programming and the security side, and they have to keep things really competitive. So, being able to find people that have that development background that want to come over into security, is even a little bit more difficult.
So, it was nice to carry over that knowledge and have it be relatively comparable, and then slowly over time, I moved up to the senior level. There's growth and there's, there's potential for even further growth.”
Do you feel like your career change set your career back?
“No, not really.
Obviously, it's a different kind of atmosphere, there are still things that I feel like I'm still catching up on in the security world.
I knew the technology, I knew the code, I knew what the exploits were, and how to mitigate them, but then when you come into an environment where a lot of the people have been doing security-related things for 20, 30 years, there's just some built-in knowledge on that side of the industry, that coming in brand new, basically, you just don't have.
So, there are some aspects that I feel like I'm kind of still catching up on, even though my first application security job was six years ago, seven years ago, but it's not always about the technology side of things.”
Looking back, do you still feel good about your decision to change careers?
“Oh, yeah, absolutely. Like I said, I felt like I had hit a certain point in what I was doing before. Once I made that move, the growth that has happened since has really enhanced my personal satisfaction in what I'm doing these days.
I feel like if I had stayed doing what I was doing before, I just wouldn't be at that place right now, and honestly, I think if I hadn’t made the move over to security, it would have been something else by now. I would have figured out something else to pivot into that would have allowed me that personal level of growth, both in my career and personally.
What do you wish you would have known before making the jump to a new career?
“I think I would have liked to have come into it a little bit more knowledgeable about the general community on the security side, and a little bit more about the application of the knowledge.
When I first shifted over, it was like, “this is what cross-site scripting is and this is how you fix it”, but getting in there and actually finding it in an application, and then trying to figure it out is different.
You know, there's all sorts of meta things, outside of just the technology itself, and I think if I had spent a little bit more time focusing on some of that versus just the technology, it would have been a little bit easier. That's not something you can't learn.
That's the key when you do make a transition, whether it's huge or whether it's similar to what you're doing, you have to keep going. It's not one of those things where I was like, “Okay, now I'm an AppSec engineer and I can stop learning”. You just have to keep going, and there's always something, regardless of what industry you're in, there's always more to know.”
What advice would you give to other developers interested in switching to another role or field?
“Honestly, the biggest piece of advice is kind of what I ended that last one on is, always approach things and try to learn as much as you can about them.
Most developers that I know did the same thing on that side. They sat and they tinkered with code, messed with different frameworks, and learned about new things. You have to keep learning as you're doing it. There's so many new technologies. There's so many new products that are out there.
One of the things that I've done lately, with more of the move back into instruction and teaching and training, I actually went back to grad school and got a certificate in instructional design so that I could really get a solid background in that.
It's not a full master's or anything like that, but I wanted that background so that I could really take that and apply it to what I'm currently doing so that I can really understand the principles behind what makes a good teacher, a good curriculum plan.
So, keeping an active and open mind and really trying to just absorb as much as possible.”