X
X
X
Remember back in 2012 when everyone thought the world was going to end? People were buying out Walmartâs entire inventory and hunkering down in their basements, all because a Mayan calendar said so. There was a whole movie made about it.
Then the world really did end in 2020, but all we got was quarantines, toilet paper shortages, and a whole lot of banana bread.
No, but seriously, the Covid-19 pandemic turned the world completely upside down, and weâre still reeling from its effects today. Homes have turned into workplaces, afternoon pyjamas are the new normal, and I canât remember the last time I saw my coworkers in real life. Remember handshakes?
No industry is immune to these paradigm shifts in the workplace, and tech is no exception.
In the last two years, companies have seen their technology and security needs change drastically, and the next few years mark a whole new trajectory for application security and product development.
So itâs time to ask: what do you need to know to land a career in Application Security in 2022 and beyond?
If youâve been tuning into the news or the job market in recent months, youâve probably heard about the Great Resignation.Â
According to the U.S. Bureau of Labor Statistics, 4 million Americans quit their jobs in July 2021. The tech industry in particular has been seriously disrupted, with a 4.5% increase in the number of resignations.Â
As remote work became the norm during the peak of Covid, people got a taste for what it was like to skip dreary morning commutes to work and live in far-flung areas where rent and the cost of living were far lower.Â
Once things began opening up again, some companies continued to offer work-from-home options while others didnât. I think you can guess how that turned out. Organisations today have more pressure than ever to offer at least part-time remote work options.
So what does all this mean for you?Â
Well, for starters, this is one of the best times in years for someone looking to start your career or shift to a new one. Workers are beginning to understand they shouldnât have to settle for a job with bad pay or benefits, and they can look elsewhere for a better deal.Â
If youâve been considering a career in application security, now is as good a time as any to take the leap.Â
In the âbefore times,â people were building cloud-based apps because it was convenient to store data and get all your work done on the cloud.
With the pandemic and subsequent lockdowns, to hell with convenience, itâs downright mission-critical. If people canât access your apps on a device or web browser at their convenience, they wonât use it.
Even product engineers have migrated to cloud-based platforms and services, which means the people building these applications are also doing it on the cloud.
âSecurity needs have definitely changed,â says Abhay Bhargav, CEO of we45. âCompanies now realise they need to build strong security teams around AppSec and the Cloud".
For better or worse, the pandemic has forced companies to change how they operate. The tech industry as a whole has come to a consensus: shore up your security protocols, or end up on a very unsavoury headline.Â
As someone starting out their career in an uncertain new world, hereâs how you can prepare for application security jobs in the future.
Itâs impossible to overstate how important cloud security is going to be in the near future. Earlier this year, Gartner forecast that worldwide spending on cloud services was expected to go up 23% in 2021.
The demand for talent in cloud architecture and security is simply massive, and companies from every conceivable industryâeven the less tech-savvy onesâare showing interest in modernising their online infrastructure.
âWith WFH requirements and need for online collaboration,â Abhay says, âthe concept of a âperimeterâ and internal network are going to dissolve pretty quickly. Companies will embrace cloud tech more readily than ever before.â
According to research by (ISC)2, mostâif not allâteam leaders are facing a serious shortage of skilled talent in cloud security. Survey respondents agreed that thereâs not nearly enough qualified people on the market, whether itâs because of deficiencies in the education system or bad hiring practices.
But one thing is crystal clear. Training in cloud security is one of the best things you could be doing right now to secure a job wherever you are in the world.
Looking cloudy with a 100% chance of landing a job! Check out our courses in AWS Security and Azure Security.
With cloud as the de facto technology powering modern apps, the challenge is no longer just to get your software working on a device with an internet connection. It also needs to work when scaled up to thousands, hundreds of thousands, even millions of users.Â
Kubernetes has paved the way for massively scalable, extremely flexible software deployment across virtually any tech stack. It acts sort of like the brain of your application, overseeing thousands of microservices, containers, and other components.
But Kubernetes is also notoriously complex and hard to configure, making it an especially appealing target for cybercriminals.
If Kubernetes developers are in high demand, Kubernetes security engineers are arguably even more sought-after, thanks to their unique but immediately applicable skill set.Â
As cloud and cloud-native apps became the norm, Kubernetes has steadily been picking up steam as the platform of choice to deploy and manage complex services and software.
Even if youâre not looking for a career in application security, thereâs a massive market out there for Kubernetes specialists, with nowhere near enough talent to meet the demand.
Not sure where to begin with Kubernetes security? Our beginner-friendly courses are the perfect place to start.
In the last couple of years, companies that didnât have much of an online presence got a rude wake-up call: if customers canât find you online, they canât find you at all.
This has led to a sudden influx of companiesârestaurants, supermarkets, retailersâbuilding their own apps so customers have a way of buying from them even through lockdowns.Â
Most of these apps use APIs (application programming interfaces) so the front-end app thatâs on your device can communicate with the back-end servers. These APIs connect the app to everything: containers, internal and external applications, and other microservices.Â
While this makes life easy for developers, it also means a much larger attack surface on your system, with plenty of vectors for an attacker to exploit with relative ease.Â
Itâs gotten so bad, less than 6% of companies have reported no API-related issues last year. As API attacks continue to wreak havoc on insecure apps, companies are on red alert.Â
Learning API security right now is one of the best ways you can prepare yourself for the next few years. Itâs also a great âgatewayâ into other hot topics like cloud and Kubernetes security.
Let's get you started with the definitive masterclass on API Security. Learn both attack and defence in one course.
When security teams are asked to come in after a finished product is built to look for vulnerabilities, they may as well not be called at all.
Fortunately, companies are starting to realise just how inefficient and dangerous it is to leave security for the end of the development cycle. Iterative development is the way to go, and security is a big part of these changing currents.
This is thanks in part to DevOps and subsequently, DevSecOps, which emphasises implementing security earlier in the software development lifecycle (SDLC).Â
DevSecOps encourages teams to build iteratively, testing each new component of a build before deploying it. This establishes an efficient process of developing, testing, and bug fixing that runs far more efficiently than the previous waterfall method.
Particularly as teams go fully or partially remote, being able to automate tasks and decentralise development is a great way to reduce security risks and increase throughput.
DevSecOps is difficult to implement, but the gains from it are massive, which is why weâre seeing more and more organisations hopping on the bandwagon.
Security skills are great, but being able to build CI/CD pipelines, automate security scans and reporting, and coordinate with developers are skills companies simply canât find enough of.
The world of security automation is out there! Dig deeper with our massive menu of DevSecOps courses right here.
This isnât something most people consider, but keeping up with whatâs happening in the field of security is a vital part of being an industry professional.
Whether itâs recent trends, breaking news of cyberattacks, or new tech thatâs being pioneered in some remote corner of the world, you need to have your ear to the ground.Â
Take for example the recent log4j flaw that took the internet by storm in December 2021. A vulnerability like that presents a perfect opportunity to learn something new and join the ongoing discussion.
You could, for starters, write a blog post about what you learned while researching the subject and share it on social media.Â
Thereâs two benefits to this. First, even if youâre not getting hundreds of likes or clicks on your post, youâve learned something new, and thatâs always, always a good thing. Second, itâs something you can show potential employers as evidence of your constant interest and drive to learn and improve.
Career-seekers tend not to go beyond the course material theyâre learning from, which means their knowledge is limited to what theyâll find in textbooks. The real world stuff matters just as muchâif not moreâwhen youâre a professional.
When it comes to skill-based roles, newcomers often get so caught up in the technical aspects that they ignore the social side of the job. Even if youâre not a team supervisor or in a leadership role, managing people and building a network is invaluable for your career.
Thereâs a common misconception that you should âlet your work speak for you.â In reality, there are so many people vying for the same jobs or positions you are. Making yourself stand out purely through your resume becomes almost impossible (unless youâre some genius wiz-kid who went to MIT at 14).
Thatâs where networking comes in. Yes, I know, a lot of people hate the idea of networking, but try not to think of it as a bitter pill you have to swallow in order to get results.
On the contrary, youâre building a circle of like-minded friends who all have a strong motivation to help each other out, because it means theyâll help you out in turn.Â
Think about it: if a hiring manager at a company had to choose between you and someone else with similar CVs, but you have a friend in the company who can give them your reference, who do you think theyâre more likely to choose?
 Thereâs plenty of ways you can start networking in the AppSec space:
Thereâs this strange, adversarial culture that tends to form between developers and security engineers when theyâre working in a team.Â
Developers view security engineers as people who keep poking holes in their code and telling them they did their job wrong. On the other hand, security folks get frustrated that developers donât employ secure coding practices to avoid those vulnerabilities in the first place.
In particular, developers find it frustrating when people in security just dump massive bug reports on their desks without giving them any further context. How is a programmer supposed to know how to interpret a bug report without help from the security professional?
This is where learning code can be a big help, specifically for two reasons.
First, it can help you communicate your vulnerability reports more clearly. Developers donât want to spend hours trying to recreate bugs when you could just meet them halfway. This serves to streamline the remediation process by a lot.
Second, itâs a great equaliser between you and you developer colleagues. Learning code can help you empathise with the job of a programmer â theyâre not only building the app, but cleaning up after themselves.
That sort of understanding between the two groups can strengthen the bond within the team, keeping team morale from tanking and collaboration frictionless. When companies say they want a âteam player,â this is what they mean.
The OWASP Top 10 is one of the first things youâll learn about in application security. Itâs a list of the ten most common and harmful security vulnerabilities found in applications each year.Â
If youâre just starting out in AppSec, you should familiarise yourself with the vulnerabilities in the OWASP Top 10 because if you come across a security flaw in the real world, chances are itâs on that list.
WebGoat is like a crash test dummy: itâs an application made deliberately insecure so you can try out all kinds of attacks on it and test various vulnerabilities.
Itâs incredibly useful because it helps newbies get hands-on experience working with a real-world application and figuring out how security exploits work. WebGoat serves as a great gateway into the world of AppSec.
OWASP SKF is particularly useful for programmers looking to learn how to code securely. Itâs an open source web application that explains secure coding practices in multiple programming languages.
The SKF was created to teach developers how to integrate security by design into their applications, rather than have to spend time fixing buggy code after the fact.
.svg)
.svg)
.png)
.svg)
