Code or Secure? Why both Developers and Security Engineers must Adapt

Should developers learn security, or should security engineers learn how to code?

It’s like asking whether pilots should understand airplane mechanics or if engineers should know how to fly. While both roles are different, they depend on each other to keep things running smoothly.

Why does this matter?

If a pilot doesn’t know basic engine mechanics, they might not recognize a warning sign before disaster strikes. Similarly, an engineer who has never flown a plane might struggle to design controls that make sense for real-world pilots.

In the world of software, this divide is causing big problems. Developers focus on building features fast, often seeing security as a blocker rather than a priority. On the other hand, security engineers hunt for vulnerabilities but sometimes lack deep coding knowledge to fix them efficiently. This leads to frustrating delays, miscommunications, and insecure applications that hackers can easily exploit.

****

Imagine a developer working on a new banking app. Their main focus is making sure users can log in, transfer money, and pay bills easily. But if security is not considered early, they might store passwords in plain text, forget to validate user input, or expose sensitive data in error messages. Later, when security engineers test the system, they might find these issues—but if they don’t understand how the code works, this can lead to a cycle of patching and re-testing, delaying the release and potentially causing user frustration.

Now, think about a security engineer trying to secure an AI-powered chatbot. They understand the risks of prompt injection attacks, but if they don’t know how the model’s code handles user input, they might struggle to implement the right defenses. Without a coding background, they might suggest general fixes that don’t work well in practice, leading to friction with the development team.

****

These gaps create delays, miscommunication, and security risks that attackers love to exploit. In the worst cases, vulnerabilities go unfixed because neither side fully understands the problem.

Should Developers then learn Cybersecurity?

Yes, at least the basics. Developers don’t need to become security experts, but they should understand secure coding principles. Some key areas to focus on include:

• Input Validation – Always sanitize and validate user inputs to prevent attacks like SQL injection and cross-site scripting (XSS).
• Authentication & Authorization – Use strong password hashing, multi-factor authentication (MFA), and least privilege principles.
• Secure Data Storage – Never store sensitive data in plain text. Always encrypt important information.
• Error Handling – Avoid exposing sensitive system details in error messages. Attackers can use this information to find weaknesses.
• Secure APIs – Protect APIs with authentication, rate limiting, and proper access controls.

By learning these security basics, developers can write safer code from the start, reducing the chances of vulnerabilities later.

What about Security Engineers becoming coders?

Again, the answer is yes — at least to an extent. Security engineers don’t need to be expert developers, but they should know enough coding to:

• Understand how applications work – Knowing how databases, authentication, and APIs function helps security engineers identify real risks instead of just theoretical ones.
• Write security tests & automation – Security engineers who can write scripts in Python or JavaScript can automate security testing and detect vulnerabilities faster.
• Fix security issues more effectively – When security engineers understand code, they can work closely with developers to suggest fixes that actually work.

The future: Merging Development and Security Skills

The industry is changing, and the divide between developers and security engineers is shrinking. Many job descriptions for software engineers now include secure coding skills as a requirement. Companies expect developers to write code that is not only functional but also secure from the beginning. Security is no longer just an afterthought handled by a separate team.

At the same time, security engineers are increasingly expected to have coding experience. Security testing is moving beyond manual analysis to automation, requiring scripting and software development skills. Security professionals who understand software development can create better security tools, write effective security policies, and integrate security into the development process more seamlessly.

In the future, we are likely to see a rise in Security-Aware Developers and Coding-Savvy Security Engineers — a hybrid approach where both roles understand and support each other better. This shift will lead to faster vulnerability fixes, stronger application security, and fewer costly breaches.

Bridging the Gap

Developers and security engineers must work together to create secure software. Here are some ways to close the gap:

• Security Training for Developers – Companies should train developers on secure coding practices and threat modeling. This helps them think about security early in the development process.
• Coding Training for Security Engineers – Security teams should learn basic coding skills to better understand how applications work and improve communication with developers.
• Shift Left Security – Security should not be an afterthought. It should be integrated into the development lifecycle from the start, with security checks happening at every stage.
• Collaborative Security Reviews – Developers and security engineers should work together in code reviews and threat modeling sessions to catch vulnerabilities before deployment.
• Security Automation – Using tools like static application security testing (SAST), dynamic application security testing (DAST), and infrastructure-as-code (IaC) scanning can help detect security flaws automatically.

Check our Application Security Courses.

"For the things we have to learn before we can do them, we learn by doing them" - Aristotle