If you're looking for reasons to pursue a career in application security, let me help you out: application security is among the top 5 skills in tech that will see growing demand in 2023.
With the massive layoffs shaking up the tech industry in past months, there's little doubt that getting a job in 2023 will be harder than usual. But a tough job market doesn't mean companies don't need fresh talent to bolster their workforce — it just means competition is getting more fierce.
You're going to need better skills to stand out from all the other schmoes trying for the same job as you. Skills that prove you're a better fit for that coveted security role you've been preparing for all this time. But which ones?
Security expert Abhay Bhargav believes there are 4 security skills you need to have in 2023 to stay way ahead of your peers and become a no-brainer candidate for any hiring manager. Read on to find out exactly what they are.
With cloud quickly becoming the predominant technology that businesses rely on nearly as much as electricity, the demand for cloud skills has been seeing meteoric growth in the last couple of years. A study has shown cloud security skills to be the second-fastest growing skill area in cybersecurity, and expects the demand to grow by 115% by 2025.
But telling you to 'get cloud security skills' is rather vague, so let's get really specific: infrastructure-as-code is high on the list of most useful security skills right now.
Infrastructure is typically managed using manual processes — everything from provisioning, to configuring the environment, to managing servers, storage, etc. But this starts to get less technologically feasible as you scale up, requiring hundreds of man-hours for simple tasks.
With Infrastructure-as-code, you can create configuration files that contain your infrastructure specifications. This lets you edit and distribute your configurations easily, and run your systems more consistently in any environment. Using this method to automate infra management not only saves so much time, it can help you consistently apply security controls across your company's cloud environments.
Possibly the most popular Infrastructure-as-Code tools is Terraform by Hashicorp. Terraform offers a slew of APIs and providers that allow you to create, deploy, and manage resources at scale with automation and other benefits.
Terraform uses a specialised domain-specific language called Hashicorp Configuration Language designed for IaC. Incidentally, this language is used for all other Hashicorp products, like Vault, Boundary, etc. which are also very popular in the AppSec space.
With the growing adoption of IaC in enterprise workloads, a lot of security flaws are introduced through IaC scripts that may be vulnerable or have insecure configurations.
Having skills in Infrastructure-as-Code will give you a huge leg up over the competition, especially now that companies are paying so much attention to cloud automation.
Talking about static analysis (SAST) in 2023 sounds rather antiquated, but it's more relevant than you realise. Source code is still one of the main ways vulnerabilities are introduced into software, and it's always a good idea to find and mitigate them as early in the SDLC as possible.
It's important to note that it's not only important to know how to set up and configure SAST scans, but to customise the analyses. One of the most important tools that let you do this is Semgrep by r2c.
Semgrep is one of the most advanced SAST tools out there offering several benefits:
Semgrep is growing massively in popularity, being used globally by small and large organisations, open source projects, and more. This huge community has contributed to a ton of rulesets publicly available on Github, which has made it even easier for companies to adopt.
Going into 2023, Semgrep will be an incredibly valuable tool to have under your belt, making you an authority on static analysis as it's done in the modern age.
Want to train in Semgrep for SAST with hands-on labs? Check out this course.
This might seem like an odd choice for a skill, particularly since Open Policy Agent isn't even a tool, it's more of a framework for access control policies in the cloud and containers.
Well, that last part is exactly what makes OPA so all-important from a security perspective. The post-2020s are dominated by distributed computing: multicloud, container, and API tech. So much so, that organisations are adopting them at an unsustainable pace — they're building on the cloud without securing for the cloud.
Chief among these security concerns is access control: deciding who gets permission to see which resources. These are some of the most common vectors attackers exploit to get access to company networks. The cyberattacks on Rockstar Games and Uber in September 2022 were caused by insecure access control policies.
You can write various policies for the cloud, including access control policies, input validation, and even API gateway policies. OPA will enforce these policies based on the rules you've written.
OPA uses its own language called Rego, which allows you to write powerful policy parameters that are useful for everything from containers and Kubernetes, to APIs.
Companies in 2023 are increasingly looking for people with skills in OPA to bolster security for their distributed systems.
If you're a bug-bounty hunter, you'll probably know Nuclei by projectdiscovery like the back of your hand. Nuclei has cemented its place as a hugely important security tool in 2023, due in no small part to its ability to find bugs at massive scale and speed.
But more importantly, Nuclei is fast becoming the tool of choice to integrate into the DevSecOps pipeline. Unlike more familiar DAST scan tools like Burp or ZAP, Nuclei has the unique feature of being able to look for specific vulnerabilities using templates.
Just like with Semgrep, users can write YAML scripts to customise their security scans with highly specific rules that suit your use case. Combine this with automation, and you have the accuracy of manual testing with the scalability of automation.
Learning to write Nuclei templates and run automated scans can help you differentiate yourself from other candidates in your field.
There's way more to security than just running scans and generating reports. The AppSec space is growing more complex each day, with technologies like cloud, containers, and Kubernetes taking centre-stage.
As a security professional, you'll need to understand how these new tech stacks work on a fundamental level. What kind of security misconfigurations should you look out for in Kubernetes? How does container supply chain security work? Once you've automated the DevSecOps pipeline, what's next?
Such questions are only the start of your journey into security, and to answer them effectively, you need hands-on skills. And the single best place to get those skills? AppSecEngineer.
AppSecEngineer offers nearly 60 courses in Cloud security, Kubernetes, DevSecOps, and more. All our lessons feature hands-on labs based on real-world security scenarios. We even have Playgrounds, where you learn secure coding, and Challenges, where you can test your skills.
All in all, AppSecEngineer features 800+ hands-on experiences, with many more on the way.
Start your free trial today (no CC required), or get access to our entire library of courses to start learning right now.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.