Remember back in 2012 when everyone thought the world was going to end? People were buying out Walmart’s entire inventory and hunkering down in their basements, all because a Mayan calendar said so. There was a whole movie made about it.
Then the world really did end in 2020, but all we got was quarantines, toilet paper shortages, and a whole lot of banana bread.
No, but seriously, the Covid-19 pandemic turned the world completely upside down, and we’re still reeling from its effects today. Homes have turned into workplaces, afternoon pyjamas are the new normal, and I can’t remember the last time I saw my coworkers in real life. Remember handshakes?
No industry is immune to these paradigm shifts in the workplace, and tech is no exception.
In the last two years, companies have seen their technology and security needs change drastically, and the next few years mark a whole new trajectory for application security and product development.
So it’s time to ask: what do you need to know to land a career in Application Security in 2022 and beyond?
If you’ve been tuning into the news or the job market in recent months, you’ve probably heard about the Great Resignation.
According to the U.S. Bureau of Labor Statistics, 4 million Americans quit their jobs in July 2021. The tech industry in particular has been seriously disrupted, with a 4.5% increase in the number of resignations.
As remote work became the norm during the peak of Covid, people got a taste for what it was like to skip dreary morning commutes to work and live in far-flung areas where rent and the cost of living were far lower.
Once things began opening up again, some companies continued to offer work-from-home options while others didn’t. I think you can guess how that turned out. Organisations today have more pressure than ever to offer at least part-time remote work options.
So what does all this mean for you?
Well, for starters, this is one of the best times in years for someone looking to start your career or shift to a new one. Workers are beginning to understand they shouldn’t have to settle for a job with bad pay or benefits, and they can look elsewhere for a better deal.
If you’ve been considering a career in application security, now is as good a time as any to take the leap.
In the ‘before times,’ people were building cloud-based apps because it was convenient to store data and get all your work done on the cloud.
With the pandemic and subsequent lockdowns, to hell with convenience, it’s downright mission-critical. If people can’t access your apps on a device or web browser at their convenience, they won’t use it.
Even product engineers have migrated to cloud-based platforms and services, which means the people building these applications are also doing it on the cloud.
“Security needs have definitely changed,” says Abhay Bhargav, CEO of we45. “Companies now realise they need to build strong security teams around AppSec and the Cloud".
For better or worse, the pandemic has forced companies to change how they operate. The tech industry as a whole has come to a consensus: shore up your security protocols, or end up on a very unsavoury headline.
As someone starting out their career in an uncertain new world, here’s how you can prepare for application security jobs in the future.
It’s impossible to overstate how important cloud security is going to be in the near future. Earlier this year, Gartner forecast that worldwide spending on cloud services was expected to go up 23% in 2021.
The demand for talent in cloud architecture and security is simply massive, and companies from every conceivable industry—even the less tech-savvy ones—are showing interest in modernising their online infrastructure.
“With WFH requirements and need for online collaboration,” Abhay says, “the concept of a ‘perimeter’ and internal network are going to dissolve pretty quickly. Companies will embrace cloud tech more readily than ever before.”
According to research by (ISC)2, most—if not all—team leaders are facing a serious shortage of skilled talent in cloud security. Survey respondents agreed that there’s not nearly enough qualified people on the market, whether it’s because of deficiencies in the education system or bad hiring practices.
But one thing is crystal clear. Training in cloud security is one of the best things you could be doing right now to secure a job wherever you are in the world.
Looking cloudy with a 100% chance of landing a job! Check out our courses in AWS Security and Azure Security.
With cloud as the de facto technology powering modern apps, the challenge is no longer just to get your software working on a device with an internet connection. It also needs to work when scaled up to thousands, hundreds of thousands, even millions of users.
Kubernetes has paved the way for massively scalable, extremely flexible software deployment across virtually any tech stack. It acts sort of like the brain of your application, overseeing thousands of microservices, containers, and other components.
But Kubernetes is also notoriously complex and hard to configure, making it an especially appealing target for cybercriminals.
If Kubernetes developers are in high demand, Kubernetes security engineers are arguably even more sought-after, thanks to their unique but immediately applicable skill set.
As cloud and cloud-native apps became the norm, Kubernetes has steadily been picking up steam as the platform of choice to deploy and manage complex services and software.
Even if you’re not looking for a career in application security, there’s a massive market out there for Kubernetes specialists, with nowhere near enough talent to meet the demand.
Not sure where to begin with Kubernetes security? Our beginner-friendly courses are the perfect place to start.
In the last couple of years, companies that didn’t have much of an online presence got a rude wake-up call: if customers can’t find you online, they can’t find you at all.
This has led to a sudden influx of companies—restaurants, supermarkets, retailers—building their own apps so customers have a way of buying from them even through lockdowns.
Most of these apps use APIs (application programming interfaces) so the front-end app that’s on your device can communicate with the back-end servers. These APIs connect the app to everything: containers, internal and external applications, and other microservices.
While this makes life easy for developers, it also means a much larger attack surface on your system, with plenty of vectors for an attacker to exploit with relative ease.
It’s gotten so bad, less than 6% of companies have reported no API-related issues last year. As API attacks continue to wreak havoc on insecure apps, companies are on red alert.
Learning API security right now is one of the best ways you can prepare yourself for the next few years. It’s also a great ‘gateway’ into other hot topics like cloud and Kubernetes security.
Let's get you started with the definitive masterclass on API Security. Learn both attack and defence in one course.
When security teams are asked to come in after a finished product is built to look for vulnerabilities, they may as well not be called at all.
Fortunately, companies are starting to realise just how inefficient and dangerous it is to leave security for the end of the development cycle. Iterative development is the way to go, and security is a big part of these changing currents.
This is thanks in part to DevOps and subsequently, DevSecOps, which emphasises implementing security earlier in the software development lifecycle (SDLC).
DevSecOps encourages teams to build iteratively, testing each new component of a build before deploying it. This establishes an efficient process of developing, testing, and bug fixing that runs far more efficiently than the previous waterfall method.
Particularly as teams go fully or partially remote, being able to automate tasks and decentralise development is a great way to reduce security risks and increase throughput.
DevSecOps is difficult to implement, but the gains from it are massive, which is why we’re seeing more and more organisations hopping on the bandwagon.
Security skills are great, but being able to build CI/CD pipelines, automate security scans and reporting, and coordinate with developers are skills companies simply can’t find enough of.
The world of security automation is out there! Dig deeper with our massive menu of DevSecOps courses right here.
This isn’t something most people consider, but keeping up with what’s happening in the field of security is a vital part of being an industry professional.
Whether it’s recent trends, breaking news of cyberattacks, or new tech that’s being pioneered in some remote corner of the world, you need to have your ear to the ground.
Take for example the recent log4j flaw that took the internet by storm in December 2021. A vulnerability like that presents a perfect opportunity to learn something new and join the ongoing discussion.
You could, for starters, write a blog post about what you learned while researching the subject and share it on social media.
There’s two benefits to this. First, even if you’re not getting hundreds of likes or clicks on your post, you’ve learned something new, and that’s always, always a good thing. Second, it’s something you can show potential employers as evidence of your constant interest and drive to learn and improve.
Career-seekers tend not to go beyond the course material they’re learning from, which means their knowledge is limited to what they’ll find in textbooks. The real world stuff matters just as much—if not more—when you’re a professional.
When it comes to skill-based roles, newcomers often get so caught up in the technical aspects that they ignore the social side of the job. Even if you’re not a team supervisor or in a leadership role, managing people and building a network is invaluable for your career.
There’s a common misconception that you should ‘let your work speak for you.’ In reality, there are so many people vying for the same jobs or positions you are. Making yourself stand out purely through your resume becomes almost impossible (unless you’re some genius wiz-kid who went to MIT at 14).
That’s where networking comes in. Yes, I know, a lot of people hate the idea of networking, but try not to think of it as a bitter pill you have to swallow in order to get results.
On the contrary, you’re building a circle of like-minded friends who all have a strong motivation to help each other out, because it means they’ll help you out in turn.
Think about it: if a hiring manager at a company had to choose between you and someone else with similar CVs, but you have a friend in the company who can give them your reference, who do you think they’re more likely to choose?
There’s plenty of ways you can start networking in the AppSec space:
There’s this strange, adversarial culture that tends to form between developers and security engineers when they’re working in a team.
Developers view security engineers as people who keep poking holes in their code and telling them they did their job wrong. On the other hand, security folks get frustrated that developers don’t employ secure coding practices to avoid those vulnerabilities in the first place.
In particular, developers find it frustrating when people in security just dump massive bug reports on their desks without giving them any further context. How is a programmer supposed to know how to interpret a bug report without help from the security professional?
This is where learning code can be a big help, specifically for two reasons.
First, it can help you communicate your vulnerability reports more clearly. Developers don’t want to spend hours trying to recreate bugs when you could just meet them halfway. This serves to streamline the remediation process by a lot.
Second, it’s a great equaliser between you and you developer colleagues. Learning code can help you empathise with the job of a programmer — they’re not only building the app, but cleaning up after themselves.
That sort of understanding between the two groups can strengthen the bond within the team, keeping team morale from tanking and collaboration frictionless. When companies say they want a ‘team player,’ this is what they mean.
The OWASP Top 10 is one of the first things you’ll learn about in application security. It’s a list of the ten most common and harmful security vulnerabilities found in applications each year.
If you’re just starting out in AppSec, you should familiarise yourself with the vulnerabilities in the OWASP Top 10 because if you come across a security flaw in the real world, chances are it’s on that list.
WebGoat is like a crash test dummy: it’s an application made deliberately insecure so you can try out all kinds of attacks on it and test various vulnerabilities.
It’s incredibly useful because it helps newbies get hands-on experience working with a real-world application and figuring out how security exploits work. WebGoat serves as a great gateway into the world of AppSec.
OWASP SKF is particularly useful for programmers looking to learn how to code securely. It’s an open source web application that explains secure coding practices in multiple programming languages.
The SKF was created to teach developers how to integrate security by design into their applications, rather than have to spend time fixing buggy code after the fact.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.
help@appsecengineer.com
United States
11166 Fairfax Boulevard, 500, Fairfax, VA 22030
APAC
68 Circular Road, #02-01, 049422, Singapore
help@appsecengineer.com
United States
11166 Fairfax Boulevard, 500, Fairfax, VA 22030
APAC
68 Circular Road, #02-01, 049422, Singapore