Working in Application Security
Application Security is the practice applied to the installation, use and development of applications.
Most companies nowadays have an App linked with their business, from banks to retail and healthcare organisations and everything in between. However, with the addition of applications comes another point of attack for hackers, a fact that is evident in the number of software vulnerabilities reported over the past year. As companies are increasingly recognising the need for technical specialists who can help secure their applications, demand has grown and hiring for Application Security Engineers has jumped by 74% over the past 5 years, according to data from Indeed.com.
Though while the jobs are there, the number of candidates applying is not. As with many areas of the Cyber Security industry there is a deficit of talent when it comes to application security jobs. Thus, there is opportunity for individuals with certain skillsets to take a turn on their career path. Working in application security would most suit professionals who are coming from a developer background and who are interested in security or those who have worked in penetration testing roles.
If you are thinking of making a move into application security, a useful start would be to look for opportunities in your current role where you can make improvements to software security. Over-familiarise yourself with the ins and outs of data security, stay up to date with new privacy regulations and continually self-educate about existing and emerging technologies.
Data security and data privacy are key areas for application security specialists to be knowledgeable in, particularly as this is an area where new regulations are currently focused on. From the EU GDPR to the recent California Consumer Privacy Act (CCPA), companies must take privacy extremely seriously in their applications, and a key aspect of working in application security is in understanding that the risk facing organisations is tied up in new regulations such as these.
As an Application Security Engineer or Application Security Specialist you should have certain skills in your arsenal, starting with the crowd pleaser, communication. A popular skill across most roles in business today, to be an effective application security professional it is fundamental to be able to relate technology risk to business risk in terms that non-technical employees can understand.
On the more technical side is DevSecOps (development, security and operations). The goal for an application security professional is more than just securing software, they must also work to reduce risk while the company adapts to its ‘digital transformation’. The need to quickly push out greater numbers of high-quality code means application security professionals need to be employing their knowledge of DevSecOps to teach developers to spot the issues that will arise with multiple releases before they come to them. Essentially the AppSec team must collaborate with the developers to create an integrated security approach. The amount of developing involved in application security jobs lends a clear link between the two for developers to move into that security role.
Among the top-rated skills for application security roles many are related to automation. It is essential for these professionals to know how to automate their own processes and equally to navigate automated development pipelines with the same ease. Certainly, being equipped with automation skills across areas including DevOps, Scripting and CI/CD (continuous integration and development) will up your pay grade.