If you're studying to be a developer, there's a bevy of career options you could choose from.
Whether you want to be a full stack dev, a cloud engineer, or a DevOps specialist, your base skill set is transferable between all of these. If you're building a microservices-based application, you could quite easily pivot to building cloud-native apps.
But there's another obvious overlap: any software you make needs to be secure. Especially in a cloud-focused world where most of our data is stored online, security is more important than ever.
Programmers tend to think of application security as a totally independent field. And if we're being honest, they're not too fond of security folks telling them their software is full of bugs.
But I'm going to show you why learning AppSec can completely transform your career as a developer, and make you even more sought-after than an average programmer.
Download now: A Beginner's Guide to Careers in Application Security
You might think, "Isn't security the problem of the security team?" But here's the thing: a huge chunk of security engineers actually started off as developers.
There's a ton of overlapping skills between the two disciplines. Both require an intimate knowledge of how software architecture works, how users interact with the software, and what sort of data they store or retrieve from it.
However, the prevailing culture in software development has been to separate the dev teams and security teams into siloes, each with different responsibilities.
But in the last couple of years, companies have realised how much more effective it is to have the two teams operate side-by-side.
And here's the thing: programmers who also know security are far more valuable than the average software developer.
Super-specialisation isn't as attractive to employers anymore, because of how fast tech economy is evolving right now. Today's skills could be obsolete in six months, so employees need to be flexible in learning new skills.
According to Renaud Deraison, co-founder and CTO of Tenable, "Each and every IT person should be equipped with knowledge of security best practices so nothing slips through the cracks. Engineering and IT teams must have security expertise baked into their skillsets from the beginning."
Read more: How to Prepare for a Post-Pandemic Career in Application Security
One of the recent trends among tech companies is the concept of a 'Security Champion' in the development team.
So...who is a security champion?
A security champion is a key member of the dev team who has a strong interest in application security. Think of them as an agent on the inside who pushes security initiatives and generates interest for security among their team members.
A champion will still be fulfilling their role as a developer, architect, or DevOps engineer. They need to have a strong grasp on the tooling, constraints, and processes adopted by the dev team.
But they'll play another, equally important role: pushing for secure coding practices among their colleagues.
To be clear, a security champion isn't meant to be an expert on AppSec, or a replacement for the security team. They're instead working to improve standards of application security within the dev team itself.
Interest for these security champion programs is growing rapidly among companies today, according to a 2020 survey.
It revealed that 84% of companies believed that security champions improved their application security programs and led to better collaboration between security and DevOps teams.
You could position yourself as a potential security champion by getting skillsin key areas of application security, especially if they complement your existing skills as a programmer.
Watch now: Do You Need to Know Code for a Career in Infosec?
Before you go looking for courses on application security, you should first understand the best way to go about it. Here's what you need to keep in mind when you start learning.
I know this one sounds rather obvious, but it's pretty challenging to actually pull it off.
Security is often viewed as a curative measure against attacks, but as with medicine, a preventative approach is usually far more effective.
Your primary goal here should be to deploy web applications that function correctly even when under attack. Rather than trying to fix an app after it's been exploited, you should look for ways to stop the attack before it does any serious damage.
This means focusing on writing code without vulnerabilities, and configuring the application or environment to prevent vulnerability exploits.
Before you can get answers to your problems, it's important to first ask the right questions about the security posture of your app.
The next step will help you answer these questions one by one.
Read more: Why Universities Need to Do More About Developer Security
This is an oversimplification, but your security process generally happens in 3 steps:
Step 1: Understand vulnerabilities and their impact on your app. You need to first learn how these security flaws even work and how they can cause problems for your application.
Step 2: Assess the security of your application. At this stage, you're evaluating the security measures (or lack thereof) on your app, and identify what parts of your app suffer from which vulnerabilities.
Step 3: Determine the best approach to mitigate the security vulnerabilities found. Now that you know what vulnerabilities can be found where, your job is to fix the security issues, starting with the most critical ones first.
You don't need to be an expert on any of these, but when you're learning about application security, you should familiarise yourself with the whole process.
Multiple studies have shown that practical learning methods that employ real-world examples or exercises are the best to help students beat the steep learning curve associated with acquiring new skills.
'Contextualised learning', is the concept of embedding learning activities into a realistic context/situation the students are already familiar with.
A recent study showed that 91% of students said hands-on labs made security learning easier, and over 80% said it increased their interest in learning application security.
Interactive security learning allows you to apply what you've learned in a real-world, practical scenario. It's the closest thing to work experience you can get.
AppSecEngineer's hands-on labs are built on this very principle. We take real-world security use cases and turn them into labs and exercises so you get the most authentic practical experience when you learn.
Download now: How to Use Hands-on Training to Upskill Your Team in Anything
There are plenty of ways for a student to learn application security in 2022, including free resources to get started. Here are a few of the best ones out there.
OWASP WebGoat is a deliberately insecure application that that lets you test vulnerabilities found in Java-based applications. It's an interactive teaching environment for web application security, and uses many common and open source components.
OWASP is a non-profit organisation dedicated to improving application security, and has several free, open source projects that you can check out and start learning from.
AppSecEngineer's free version lets you access 8 unique courses from Kubernetes security, AWS security, DevSecOps, and more. You get over 20 hours of video content, and 30+ hands-on labs for totally free.
Our labs are recognised as some of the best in the industry, and are incredibly easy to pick up and start learning.
See them in action by signing up for your free account now.
The Web Security Academy is a free resource by the developers of Burp Suite, the popular security testing tool.
With dozens of in-depth learning materials and labs, you can learn all about the OWASP Top 10 and other highly common vulnerabilities on their website.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.