Telstra's is dedicating a new security team to swatting bugs in its own code

  • Liam Tung (CSO Online)
  • 24 November, 2016 09:51

Telstra is building a brand new security team called “Secure Code” that will be dedicated to catching bugs in code on the fly from development teams across the globe.

The telco is on the hunt for secure code engineers and application security specialists to join the new group, which will operate within Telstra’s security operations team.

Telstra says the group will be focussed on “tackling security issues from project conception” and helping roll out a security program that aligns with development methodologies crafted by software giants, such use DevOps, or coordinated development and operations, to improve the quality of code.

Members of Telstra’s Secure Code team will need to be committed to “SecDevOps”, or DevOps where security targets the early stages of the building process.

The group will be responsible for vetting “every line of source code owned by Telstra” across the globe, whether it’s written by in-house teams, outsourced developers overseas, or contracted vendors.

Telstra’s need for efficient processes and new skills to secure its own source code has likely grown in recent years with a spate of healthcare software acquisitions to build out ventures like Telstra Health. The team will eventually review all code from these acquisitions as well as entities under Telstra International.

“Our vision is to establish a brand new team at Telstra focussed solely on application security and secure code related initiatives,” it says.

The two chief functions of the team include integrating security processes into the software development lifecycle and introducing manual code reviews during penetration testing.

“This supports early notification to developers regarding security defects in their code and ultimately reduces the overall cost to remediate,” says Telstra.

“Manual code review would typically be performed during the final penetration test to ensure all possible vulnerabilities (in particular, business logic flaws) had been discovered prior to go live,” it added.

Telstra is looking for secure code engineers and application security specialists with a background in software development or engineering, and experience in traditional and modern development processes.

Candidates for secure code engineerroles will also need to be familiar with broad range of cloud technologies include “orchestration, scheduling and scaling, containerisation, virtualisation, security automation, APIs, microservices, DevOps” and continuous integration and continuous development (CI/CD). In addition to web and mobile application experience, engineers would also benefit from having experience in embedded platforms and coding for cloud infrastructure.

It’s after application security specialists with experience in static code analysis tools and delivering application security training and education to developers. They’ll also need “hands-on experience identifying and remediating common application security vulnerabilities in source code.”

Openings for the Secure Code team were posted last week and applications close on 28 November.