A Beginner’s Guide to
Careers in AppSec
What you can do to maximize your chances of success as a budding Application Security professional
Here’s a question we get asked a lot:
Why should I pick a career in application security?
AppSec is one of the fastest-growing and most high-impact industries that’s only started to pick up steam in the last ten years. Valued at USD $4 billion in 2019, the AppSec market is expected to grow to beyond $15 billion by 2025 according to analysts.
Why is Application Security blowing up?
When you think about it, that makes a lot of sense. Websites, services, phones, cars – hell, even fridges – require software to run. Everything we do, and all of our data is stored online. And where there’s user data, there’s something worth stealing.
AppSec is the one thing keeping the internet from turning into Grand Theft Data, and it’s never been more important than today. No, seriously. It’s a BIG deal. Companies that rely on web apps for their business need talented security professionals to help them build secure programs, and they’re willing to pay.
What do Application Security careers look like?
In the US, Glassdoor pegs the national average salary of a security engineer at around $98,000, well above what a network engineer or developer can expect to make at around $75,000. Despite this, in a 2020 report by Security Magazine, 76% of leaders face a shortage of cybersecurity skills in their organizations. Which, you know, is kind of huge.
8 things you can be doing right now to fast-track your Application Security career
- 1. Learn about the OWASP Top 10
- 2. Workshops, whitepapers, and resources from cloud providers
- 3. Stay up-to-date on current events in AppSec
- 4. Learn with OWASP Projects
- OWASP Cheat Sheet Series
- OWASP WebGoat
- OWASP Security Knowledge Framework (SKF)
- 5. Understand the tech you’re trying to secure
- 6. Learn how to code
- 7. Take part in competitions
- 8. Hone your skills with bug bounty hunting
Like what you’ve read so far? Get your copy
Let’s get one thing straight: AppSec Hacking
If you wanted an application security career because you’d have cool stories to tell your friends over a beer, I’d hate to burst your bubble, but it’s a lot more similar to a normal engineer’s job. That doesn’t mean it’s not fun, though! We’re not trying to get you down, We’re just setting realistic expectations here.
But now that you’re aware of the nature of your future application security career, what can you expect your job to be like? Well, for starters, there’s a surprising amount of collaboration you’d have to do with the other divisions in product engineering.
As an AppSec engineer, one of your most critical responsibilities would be to communicate your security findings with the developers on your team. You’ll not only be showing them what vulnerabilities you found in their code, but also help them in fixing them in time for the next release. Additionally, you might even need to give them helpful pointers on how to avoid security flaws like that in the future.
Offensive vs. Defensive AppSec
Broadly speaking, (and kind of oversimplifying) there’s two main sides to application security. Offensive security is where you’re acting as the malicious outsider trying to access data and privileges you’re not supposed to have. The other is Defensive security, where you’re the ones that built the app and are trying to find ways to harden it against those attackers. And that’s the actual ‘security’ part of Application Security.
Offensive security is really more a means to an end, the ‘end’ here being more robust defensive measures for your application. It’s a way for engineers to simulate attack scenarios as an outsider trying to find their way in, and using that information to build stronger fortifications. You need the former to learn how to better do the latter.
Employers need AppSec Engineers with experience
It’s usually not enough to just take a course in a particular field of security, get certified, and call it a day. AppSec is an industry that values skill over everything else, and being able to demonstrate that skill is absolutely critical if you’re looking to get noticed. Practical learning is the fastest way to level up your abilities, because it ensures you learn how security works and how to implement it in the real world.
What should your resume look like?
Security evangelist Per Thorsheim believes that you are not a security professional “until other security professionals start to refer to you as being one.” In other words, your credentials don’t make you an AppSec pro. It’s the process of actually working with your hands to solve real-world security problems that defines how people see you in the industry.
Having all the theoretical security knowledge in the world won’t matter if you can’t put it to good use. And that’s critical when you’re looking for a job in security. Practical experience is basically a necessity for a career in AppSec.
Switching careers isn’t as hard as you thought
I know what you might be thinking: you’re already a developer, or an IT professional, or maybe none of those! Switching careers can be pretty scary, especially if you don’t have a whole lot of prior experience in that field. But it’s not as daunting a proposition as it might seem to be at first.
For starters, there’s a lot of scope for a wide variety of career paths for someone getting into AppSec today. You’re not restricted just to pen-testing and hacking anymore. In fact, one of the most highly-valued skills of an AppSec professional is the ability to communicate security risk to non-technical people. It can range from teaching developers how vulnerabilities crop up in insecure code, to demonstrating the business impact of security weaknesses to executive
Skills a developer can use
You’re also looking at helping teams achieve DevSecOps, where secure engineering practices are integrated seamlessly into a DevOps pipeline. This is the ideal jumping-off point for a lot of developers into security, because they can directly apply their knowledge of building apps in an agile pipeline to figuring out implementing security measures in the process.