Security Engineering vs. Software Development

Jan. 29, 2021

The following article is part of a series of articles about our NerdWallet Internship program. Saswata Gupta shared their experience as an software engineer intern. If you are curious about joining NerdWallet as an intern or full-time employee, please apply for one of our open positions!

What This Is About

I’ve just finished up with my internship at NerdWallet as a security engineer and I couldn’t help but realize how different this internship was compared to my previous five internships. That’s not to say my previous experiences were all homogenous, but I had definitely become accustomed to a pattern of work that I didn’t experience during these past few months. For instance, there was a week I spent where I hadn’t written a single line of code which was crazy to me at the time. That’s not to say my time at NerdWallet was tarnished, but actually, the opposite since my goal for internships is to get a wide breadth of experiences. I wanted to understand why this experience felt so new to me. The obvious conclusion was that security engineering was the outlying factor, as my previous experiences were more software development related. Putting more thought into it led me to understand the stark differences between these two roles in the tech industry, but also how they are similar. In this post, I hope to give those of you curious about these domains an overview of both and how they compare.

What They Are

Security Engineer:

Goal: Ensure that existing software systems cannot be exploited and private data cannot be accessed by attackers.

Domain of Expertise: Methods of attack hackers can exploit and how to mitigate them.

Major Types of Work: 

  • Exploratory work – combing through source code or documentation to better understand a system and thus its vulnerabilities.
  • Collaboratory work – discussing with other teams / third-party vendors about how the system behaves and how it could be vulnerable.
  • Design work – constructing a solution outline to patch up a vulnerability within a system considering all of its effects.

Software Developer:

Goal: Create new software systems and/or maintain existing systems to ensure they function as expected and are performant.

Domain of Expertise: What an effective software system looks like and how to maintain that.

Major Types of Work: 

  • Feature / Project work – creating a software system or updating one through programming.
  • Design work – outlining how a software system should behave with all functional requirements in consideration.
  • Collaboratory work – Discussion with regarding behaviour of a system or how multiple systems may interact.

What’s Different

What stood out to me while on the job as the biggest difference was the lack of programming, and in a broader sense, a lack of structure in the work being done. As a developer, it is much easier to know what is correct / what works and what isn’t / doesn’t. As a security engineer, the problems being solved are more vague in the sense that there is less of a definitive correct answer.

An example of this is the main project I worked on during my internship: improve input validation within our backend code. There are so many ways input validation within code can be improved, just in terms of which libraries are used, or even using writing our own libraries. Aside from that, there are many other factors that must be considered, which only make the correct solution harder to identify such as the practicality of expecting developers to code the input validation correctly and how we could monitor the state of input validation to assess the situation and confirm our solution works.

What Both Share

Though the time spent on types of work done may be different between the roles, it wouldn’t be correct to say that any of the types of work listed solely belong to either role. I can confidently say that doing the work in one role will definitely improve the quality of work in the other, as the type of work and the domain specific knowledge helps towards both goals. For example, if a security engineer is well aware of how a developer writes code for a system, it is much easier to identify its behaviour and thus vulnerabilities as well. This goes in the other direction as well, as a developer aware of common security flaws can write more secure code.

Why Both Are Valuable

Broadly speaking, security engineers tend to have less structured work and place an emphasis on in-person and written communication, while developers are focused on programming and designing systems. Both are necessary for a successful product, and both have skills transferable to the other. The only conclusion I can state with complete confidence is that I gained many valuable skills during my internship that will be transferable to any future role I take in the tech field.