Application security has perhaps the best underdog story in all of product engineering. Security was once viewed as an afterthought, something that—if time permitted—could be tacked onto the finished software product at the end of the end of the software development lifecycle (SDLC).
This is the equivalent of constructing an entire building without any sort of reinforcements, duct-taping any shaky bits together, and hoping for the best. You can probably imagine how well that went.
One of the biggest reasons security wasn't taken seriously was because doing it well can be difficult and time-consuming. But people's attitudes changed real quick once cybersecurity and malware attacks brought multi-billion dollar companies to their knees and resulted in losses of millions of dollars.
Even though security is still somewhat misunderstood and overlooked, most organisations and even governments have started to take it seriously today. It's become common practice to integrate security into the SDLC in a much more concerted way, and innovations like DevSecOps and security automation are making it easier for AppSec to stay in step with the rapid pace of modern app development.
That brings us to the topic of this article. If you want to learn application security and become an AppSec engineer, you need to know not only what your job's going to be like, but how to prepare for it.
The first thing you need to know is, as of 2021, there's a huge shortage of talent in cybersecurity. In fact over 76% of security leaders are saying they have vacancies on their teams that aren't getting filled fast enough. This is despite the fact that analysts expect that between 2018-2026, the application security industry will grow by nearly 4 times.
Looking at the data, it might seem odd that an industry with such an obviously upward growth curve is having problems hiring fresh talent for the expanding job market. But there's a good reason for that. Organisations aren't hiring just anyone to build their security systems. In a high-stakes scenario like data security, they need the best people on the job.
It's why it's not just important to learn application security, but become fluent in it.
We've collaborated with multiple industry experts to create The Beginner's Guide to a Career in AppSec, an ebook that will go over everything you need to do start your application security career right now. It includes tips from security gurus, important (and free) resources to help you start learning, and much more.
One of the most common questions people interested in AppSec ask is: 'Do security engineers need to know how to code?' It's an important question, because a lot of people tend to get very intimidated by the idea of programming or developing software.
Here's the deal: knowing code does give you an edge in the AppSec industry. It's why you see so many developers transitioning into application security professionals. We asked Derek Fisher, Vice President of Application Security at Envestnet, about this in our ebook.
"When I look at an Application Security team," says Fisher, "it comes down to enabling the engineering of software in a secure manner. This will require the ability to understand development environments, how code is written so you can perform code reviews, how software is built and tested, and how applications are run in a production environment."
In other words, if you're going to assess the structural integrity of a building, you at least need to know the basics of how it was built. You don't have to be a full-fledged developer with tons of coding experience under your belt. But if you're going to communicate with the dev team (a very important part of an AppSec engineer's job), you need to be fluent in their language.
The fundamentals of application security tend to stick better when you put it in the context of code. Beyond that, collaboration with other teams in the product engineering pipeline is heavily dependent on everyone being on the same page. Programming knowledge helps you get on that same page.
"As an Application Security professional," Fisher continues, "your ability to understand the developer mindset, their problems and constraints, and how you can work with them to bring security into the SDLC will greatly increase your effectiveness in the Application Security industry."
If you're interested in learning more, we have a video on this subject, too.
An application security engineer isn't just the person responsible for maintaining their organisation's security posture, they also need to work closely with the development team in order to help them understand what security flaws they need to watch out for, and how to fix the ones already present in the apps.
While your job description may differ from company to company, there are certain common roles practically every security engineer needs to take on. Here are a few of those:
While getting certified shouldn't be your top priority in AppSec, it can certainly help you land a job. It's a good way of showing potential employers you're up-to-date on the fundamentals of application security, and establishes a good baseline for how much you know.
The AppSec space has gotten rather crowded with a number of certifications in various sub-disciplines of security. However, we feel the 2 most commonly recognised and relevant certifications are CSSLP—Certified Secure Software Lifecycle Professional, or CISSP—Certified Information Systems Security Professional.
CSSLP is a certification that largely focuses on developing your ability to "better incorporate security practices into each phase of the software development lifecycle (SDLC)."
CSSLP is great for software architects, developers, pentesters, and application security engineers, among others. Here are some of the skills you'll be tested on:
The CISSP certification shows that you're capable of "effectively designing, implementing and managing a best-in-class cybersecurity program."
It's an ideal certification for people like Chief Information Security Officers (CISO), security analysts, and security systems engineers, among others. These are some skills it will test you in:
Application security courses are pretty common these days, and there's tons of free resources available online as well. Some of the best free, community-driven projects and resources can be found on OWASP. Here's a list of some of the most useful AppSec learning resources on OWASP:
However, free workshops can only get you so far. A lot of these are self-driven, which means there's no way to get feedback on how you're doing. Besides, learning is most effective when you have subject-matter experts to guide you.
AppSecEngineer offers some of the best application security courses in the world. We've taken the same world-class we used to train at conferences like Black Hat and DEF CON and expanded it into a catalogue of over 25 courses (and counting).
The best part? All our courses feature hands-on labs that let you practice every lesson by hand so you're never just relying on theory. It's the fastest way to build skill and gain experience while you're still learning.
We have 4 unique courses dedicated to the fundamentals of application security. To get started, check out our Application Security Essentials Learning Path. Give it a go with our no-strings-attached free trial.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.