We are at BLACK HAT USA 2022, come see us at #IC75, check out our BlackHAT training sessions
Application Security

The Definitive Guide to Becoming an Application Security Engineer

February 21, 2022
Application Security Engineer | Photo Credit: Christoffer K

Application security has perhaps the best underdog story in all of product engineering. Security was once viewed as an afterthought, something that—if time permitted—could be tacked onto the finished software product at the end of the end of the software development lifecycle (SDLC).

This is the equivalent of constructing an entire building without any sort of reinforcements, duct-taping any shaky bits together, and hoping for the best. You can probably imagine how well that went.

One of the biggest reasons security wasn't taken seriously was because doing it well can be difficult and time-consuming. But people's attitudes changed real quick once cybersecurity and malware attacks brought multi-billion dollar companies to their knees and resulted in losses of millions of dollars.

Even though security is still somewhat misunderstood and overlooked, most organisations and even governments have started to take it seriously today. It's become common practice to integrate security into the SDLC in a much more concerted way, and innovations like DevSecOps and security automation are making it easier for AppSec to stay in step with the rapid pace of modern app development.

That brings us to the topic of this article. If you want to learn application security and become an AppSec engineer, you need to know not only what your job's going to be like, but how to prepare for it.

What does the Application Security industry look like?

The first thing you need to know is, as of 2021, there's a huge shortage of talent in cybersecurity. In fact over 76% of security leaders are saying they have vacancies on their teams that aren't getting filled fast enough. This is despite the fact that analysts expect that between 2018-2026, the application security industry will grow by nearly 4 times.

Looking at the data, it might seem odd that an industry with such an obviously upward growth curve is having problems hiring fresh talent for the expanding job market. But there's a good reason for that. Organisations aren't hiring just anyone to build their security systems. In a high-stakes scenario like data security, they need the best people on the job.

It's why it's not just important to learn application security, but become fluent in it.

We've collaborated with multiple industry experts to create The Beginner's Guide to a Career in AppSec, an ebook that will go over everything you need to do start your application security career right now. It includes tips from security gurus, important (and free) resources to help you start learning, and much more. 

Download it for free here.

Do you need to know code to get into application security?

One of the most common questions people interested in AppSec ask is: 'Do security engineers need to know how to code?' It's an important question, because a lot of people tend to get very intimidated by the idea of programming or developing software.

Here's the deal: knowing code does give you an edge in the AppSec industry. It's why you see so many developers transitioning into application security professionals. We asked Derek Fisher, Vice President of Application Security at Envestnet, about this in our ebook.

"When I look at an Application Security team," says Fisher, "it comes down to enabling the engineering of software in a secure manner. This will require the ability to understand development environments, how code is written so you can perform code reviews, how software is built and tested, and how applications are run in a production environment."

In other words, if you're going to assess the structural integrity of a building, you at least need to know the basics of how it was built. You don't have to be a full-fledged developer with tons of coding experience under your belt. But if you're going to communicate with the dev team (a very important part of an AppSec engineer's job), you need to be fluent in their language. 

The fundamentals of application security tend to stick better when you put it in the context of code. Beyond that, collaboration with other teams in the product engineering pipeline is heavily dependent on everyone being on the same page. Programming knowledge helps you get on that same page.

"As an Application Security professional," Fisher continues, "your ability to understand the developer mindset, their problems and constraints, and how you can work with them to bring security into the SDLC will greatly increase your effectiveness in the Application Security industry."

If you're interested in learning more, we have a video on this subject, too.

Roles and responsibilities of an Application Security engineer

An application security engineer isn't just the person responsible for maintaining their organisation's security posture, they also need to work closely with the development team in order to help them understand what security flaws they need to watch out for, and how to fix the ones already present in the apps.

While your job description may differ from company to company, there are certain common roles practically every security engineer needs to take on. Here are a few of those:

  • Help the organisation evolve its application security functions
  • Perform application vulnerability scanning and penetration testing
  • Testing source code and running code
  • Implementing advanced security features
  • Maintaining technical documentation
  • Threat modeling
  • Automating security scans and tests
  • Prioritise vulnerabilities on the basis of risk to the security of the application and business
  • Communicate the nature and severity of security flaws to the development team
  • Help the developers to assess and remediate vulnerabilities

Getting an Application Security certification

While getting certified shouldn't be your top priority in AppSec, it can certainly help you land a job. It's a good way of showing potential employers you're up-to-date on the fundamentals of application security, and establishes a good baseline for how much you know.

The AppSec space has gotten rather crowded with a number of certifications in various sub-disciplines of security. However, we feel the 2 most commonly recognised and relevant certifications are CSSLP—Certified Secure Software Lifecycle Professional, or CISSP—Certified Information Systems Security Professional.

Certified Secure Software Lifecycle Professional (CSSLP)

CSSLP is a certification that largely focuses on developing your ability to "better incorporate security practices into each phase of the software development lifecycle (SDLC)."

CSSLP is great for software architects, developers, pentesters, and application security engineers, among others. Here are some of the skills you'll be tested on:

  • Secure Software Architecture and Design
  • Secure Software Testing
  • Secure Software Lifecycle Management
  • Secure Software Deployment, Operations, Maintenance

Certified Information Systems Security Professional (CISSP)

The CISSP certification shows that you're capable of "effectively designing, implementing and managing a best-in-class cybersecurity program."

It's an ideal certification for people like Chief Information Security Officers (CISO), security analysts, and security systems engineers, among others. These are some skills it will test you in:

  • Security and Risk Management
  • Communication and Network Security
  • Identity and Access Management (IAM)
  • Security Assessment and Testing

How do you learn Application Security?

Application security courses are pretty common these days, and there's tons of free resources available online as well. Some of the best free, community-driven projects and resources can be found on OWASP. Here's a list of some of the most useful AppSec learning resources on OWASP:

  • OWASP Cheat Sheet series
    The Cheat Sheet is a collection of high value information on over 65 specific application security topics.
  • OWASP WebGoat
    WebGoat is an application made deliberately vulnerable so you can use it to practice various security tests, exploits, and tools.
  • OWASP Security Knowledge Framework
    The SKF is an extensive knowledge base you can use to learn how to integrate security by design in an application. It even has examples and best practices on how to prevent attackers from exploiting your app.

However, free workshops can only get you so far. A lot of these are self-driven, which means there's no way to get feedback on how you're doing. Besides, learning is most effective when you have subject-matter experts to guide you.

AppSecEngineer offers some of the best application security courses in the world. We've taken the same world-class we used to train at conferences like Black Hat and DEF CON and expanded it into a catalogue of over 25 courses (and counting).

The best part? All our courses feature hands-on labs that let you practice every lesson by hand so you're never just relying on theory. It's the fastest way to build skill and gain experience while you're still learning.

We have 4 unique courses dedicated to the fundamentals of application security. To get started, check out our Application Security Essentials Learning Path. Give it a go with our no-strings-attached free trial.

Aneesh Bhargav

Aneesh Bhargav

When Aneesh is not creating career-focused security content, he’s probably playing video games.