There are many different types of information security positions covering compliance to architecture. Do you think it is better for an information security professional to have actual development or programming experience?
I think it is very beneficial in many areas, and is good for increasing career opportunities. Here are a couple of examples:
Ron Parker CISSP, CCSP
Yes having the experience helps. Anytime you have experience in doing the work, it makes it easier to protect it. Hacking is all about making things behave in ways that were not expected. If you do not fully understand the expected behavior, you will not be in the best position to protect it, or you might suggest the wrong thing.
There is currently a discussion going on in the business world on whether it is better to have a CEO that has knowledge but is weak in many areas or has limited knowledge but is strong in those few areas. Some research says it is better to hire the specialist rather than the generalist. I would argue that it depends on the situation the company is going through.
The same can be said for hiring a supervisor. Do you want someone with strong managerial skills but no knowledge or limited knowledge of the work over which they are supervising or do you want a strong technical person that you will have to give time to learn the managerial roles? I vote for the latter (tech skills) because if you do not have strong skills your employees may be able to lie to you and you may not have enough info to dispute it. But then again the situation could be dependent on other things.
I think you provided a nice summary of the benefits of a development background. Some additional benefits I would add are the ability to speak with the same vocabulary as your developers. This helps to ensure there are no misunderstandings.
Additionally, when covering topics such as the OWASP TOP 10, being able to explain remediation steps in terms a developer can understand helps to foster a feedback loop between security and development.
Lastly, it empowers security teams to trust but verify when it comes to looking under the hood to see just what your developers are doing.
Jason Wilson CISSP, CSSLP, CCSP
This is a great question and has been debated at great length by most, if not all, professionals in technical fields of work. In my opinion, it really depends on the information security professional's scope of responsibilities. If you are leading a small team of technicians responsible for testing and implementing security patches and software upgrades then it would definitely help to know the technical details. It's even more important however, to be able to translate those technical details to normal <insert language here> for your supervisors to get their approval and commitment.
Now, if you are leading a large division made of many teams then you will most likely never need to see the 1's and 0's of it all. You may not have programmed since learning COBOL but that's ok. At that level, it is much more important to see the "big picture" and ensure your teams have the training, resources, and confidence to do the job.
That said, I am a strong advocate of lifelong learning. Not necessarily to be able to sit in the driver's seat and sling code but to understand trends.
Isn't everything a rehash?
Yes, once you have a basis for understanding it doesn't mean you have to be a Top-Coder. It just means you can translate and relate vertically whether up or down.
For me it also adds a level of realism outside the academic realm. So at the end of the day your advice or solutions are more valuable.
Hands-on experience does make a difference. I have heard complaints from other in my field that we (the security community) are sometimes graduating people with knowledge but no (or very little) hands-on experience with the technologies they are going to be attempting to protect. This hampers them on the job when things don't work like they did in the 30 minute lab at school. Labs are often virgin systems that get wiped between classes so you have a very easy and new set-up each time. The real world isn't like that.
I sure do, but how much does this cost? Where can I get the education for this?
If you are already into the InfoSec world there are plenty of resources for you to do work on your own. It really depends on your current area of concentration in InfoSec. Having familiarity in these covers a lot of area plus it helps if you are in the software assurance area. Look at this not-so-all-inclusive for example.
Python can be used for file processing, data crunching, creating security tools, is the language used by many security tools on the market today.
PowerShell if you do anything with Windows resources. It is the defacto Microsoft scripting tool.
SQL, even though it have many variants, they are similar enough. It will also help to have basic database skills too.
Go(lang) has been a growing area for several years because of its association with Docker. It is a very utilitarian language that is mostly self-contained. Plus it generates stand-alone EXEs out of the box.
Plus a book on Security Engineering.
There are also plenty of free cloud resources. You can get free accounts with Microsoft and Amazon for a year at least. You can set up your own development area.
Hope this helps.
Ron Parker CISSP, CCSP
Certainly it depends on what you do, but I think some kind of programming and development experience always makes for a better security professional. Even someone works in big picture, strategic areas, the ability to understand the specifics of software based vulnerabilities and their exploits is extremely valuable. Pull any category you want from the CVE, it's not like these things are easily grasped concepts. I think you need some practical experience with them.
I think you just can't be an effective security professional without some level of coding experience. As everything our businesses use and rely on has become code (literally everything), we need this knowledge. Understanding development teams and working with them as they push products towards a deadline (ha! no release == no income for your organization. Deal with it!), can only be done by professionals that lived it.
Just the other week I sat through an ISO audit with one of my clients. We rely heavily on AWS and most of our infrastructure is deployed using code. Spinning up a client environment is 100% scripted. The auditor had never seen this and it wasn't the most pleasurable experience walking him through it.