What is security expert and how to be?

Hi,
Two days ago I read that Apple hired a security expert that works at NSA to join Apple's security team.
This leads to this?
What is security expert? his daily job?
And more importantly, how to become a security expert?
I noted that IT industry is treating the subject of teaching security as a Pandora's Box and every one is starting to whistle if you asked him about it.
Thanks.

Security is a very broad field.
A security expert is someone who deals with security. (What a surprise!) Those people have a tendency to look at things differently, searching for weakpoints and how something could be broken.
How do you become a security expert? The same way you're becoming an expert in any other field. Take programming as an example. You can teach someone the basics of a programming language. Is he becoming through this an expert? No, by no way! There are so many things involved, like processes (e.g Scrum, XP), tools (IDE, Bugtracker, etc.), Design Patterns, the right choice of the language and so. Briefly: spotting a problem, categorize it and have the right tool for it in your toolbox. (Remeber the phrase: "If the only tool you have is a hammer, you will see every problem as a nail"?!) You don't need to be a master of every tool that you are having in your toolbox but you should know when and how to use it and being able to dive deeper into the topic when it's needed. You need a lot of experience and creativity. Both things which can't be teached. It's like teaching "to become an inventor".

Back to security: in the IT there are different kinds of security experts. Some focus on web application (e.g. finding sql-injections, XSS, CSRF, session hijacking, etc.), some on jailbreaking (google for GeoHot, e.g.), some on infrastructure (e.g. defending a server against hackers) and so on. There are no clear boundaries.

I hope this clears a bit things up.

[edit]
If you are interested in this topic maybe you should read Know your enemy

Thanks for the post.
One comment regarding teaching programming:
Processes (Scrum, Lean ..) and tools (IDE, bugtrackers ..) aren't part of teaching programming.
You can be a super star programmer without all of those.
End of comment
Back to the subject:
Do you see what I mean?
XSS, CSRF, Jailbreaking and defending servers.
How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?
I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.

John Todd wrote:How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?
I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.

Start by reading what others have written:

https://coderanch.com/t/483806/Book-Reviews/Secrets-Lies-Digital-Security-Networked (an awesome book, IMO)

https://coderanch.com/t/93884/Book-Reviews/Ajax-Security-Billy-Hoffman-Bryan (specifically about web systems)

Lost of interesting pointers are in the SecurityFaq.

John Todd wrote:
One comment regarding teaching programming:
Processes (Scrum, Lean ..) and tools (IDE, bugtrackers ..) aren't part of teaching programming.
You can be a super star programmer without all of those.

Yes and no. You are right: processes and tools are not part of teaching programming. But you can't isolate programming for all the rest what a software developer is using on a daily basis. No programmer will start refactoring a huge codebase if he is using plain Notepad. You WILL need an IDE for that. You could start arguing that refactoring also does not belong to "programming" because in an idealized world you would get it done right the first time. Reality looks a bit differently.
Beside that, all people I have met, who are superior in there field are out-of-the-box-thinkers and not only focused on one thing. So I really have my doubts that "You can be a super star programmer without all of those."

John Todd wrote:How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?

Start asking yourself: how would you try to break it? Start reading about possible attacks. The basic concepts are usually well-documented and you don't have to browse around the dark corners of the internet. SQL Injections are for example quite well explained in the wikipedia. OWASP has a list of the top 10 web application security risks with explanation and examples. Subscribe to a topic-related mailinglist. Buy some books which are dealing with the topic (one was mentioned in my last reply). Same principle as learning building software: take baby-steps, read on topics which might interest you / which others point you too and the longer you are dealing with this topic the more you get the big picture.
You don't have to become an uber-hacker to defend your software, you just need to know where you have to take care. If you are inserting user-input without escaping the input into your database, you will get some problems with SQL injections. Only thing you need to know: escape user input. No need to know how *exactly* fancy SQL injections are working. And again: there are also books about writing secure code (e.g. this one)

John Todd wrote:I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.

As I already said: there are tons of resources. So I'm not sure what exactly you are looking for.

John Todd wrote:Thanks for the post.
One comment regarding teaching programming:
Processes (Scrum, Lean ..) and tools (IDE, bugtrackers ..) aren't part of teaching programming.
You can be a super star programmer without all of those.
End of comment
Back to the subject:
Do you see what I mean?
XSS, CSRF, Jailbreaking and defending servers.
How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?
I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.

One of the things that OWASP tries to emphasize is positive security and constructive security - in other words, we try to highlight practical solutions instead of focusing on discovering new attacks. As you mentioned, there is no shortage of attack techniques and even the best security experts would be hard pressed to know all possible attack vectors.

From a developers perspective though, if they can follow a core set of security principles, they can help close the security gap. For example, both XSS and SQLi are forms of injection attacks. For the most part, injection attacks can be prevented with a good combination of input validation and output encoding. These two defensive strategies apply to any piece of code and following through with these strategies moves an application's security posture forward by leaps and bounds.

The OWASP Development Guide and the OWASP Top 10 Project provide some good resources to acquire some of this knowledge.

-Jason
OWASP Global Projects Committee Chair

I haven't seen company management encourage people to become security expery. My previous company was trying hard to get a security expert since months, I have heard that it is still looking for one.