With all the recent talk of 'x as code' and high profile software supply chain failures. I would think that there would be interest in transitioning experience developers into cybersecurity roles.
My experience so far has been that even with a CSSLP.. recruiters want someone who was in a 100% cybersecurity role vs. an engineer deeply involved in secure software development.
I think that might change as SSDLC starts to become more important. Just curious if anyone has made the transition without having to start over at the bottom?
There are many aspects about development that include security (e.g. DEVSECOPS). SDLC has exit gates which require a security review and I would think if you have experience with coding standards, manual code review, automated scans like HP Fortify, or OWASP, would be a great transition or even alternate career/job capability to pentesting, security engineering, etc.
In my specific case; I've been developing PA-DSS certified software for the last 10 years or so. Managing all of the DevOPS infrastructure. Embedded with IT and Security teams as the R&D 'representative'.
I applied for 6 or 7 cybersecurity roles that seemed like a good fit, never heard back on any of them. In the end I accepted another senior engineering role, so I'm no longer looking. Still curious about the prospects.
Perhaps recruiters/hiring managers may be reluctant to consider developers, maybe concerned that salary would be an issue?
Recruiters are probably using automated systems to filter your applications, and if these don't find specific keywords or qualifications the applications will not be selected for human review. So there are 2 courses open, either try to get a position via a recommendation from a contact already working in the field or determine the specific qualifications or keywords that are being searched for.
The CSSLP isn't very often asked for in job postings. Companies with opening often ask for more generic InfoSec qualifications like CISSP or CISM.
Even if not actively looking make sure your resume is on all the major websites. Also like mentioned since we are basically in IT, include any associated terms in the profile, tools, OS, applications, etc. as those keywords will trigger a search. If you get a lot of job inquiries for wrong positions, you might need to scale back key words but can still have them in the resume/cv. Rate will always be an issue. There are a lot of "body shop" companies out there looking for the cheap deal. Make sure you do your research and even consider leaving out rate information and leave that discussion until they actually have interest after the interview. In most cases the companies already done their research.
There's another approach that tends to work well. Match yourself against the job requirements point for point and write a covering letter as a pre-fix to your resume. The point is to explain to the recruiter how you match the job opening, which should make their life easier. It also shows that you've taken the time and aren't just 'mass mailing' CVs in an non targeted way. You'll need to set aside 90 mins to 2 hours per application, but give it a try, as in my experience it has a much higher success rate in securing a first conversation with the hiring manager.