This feature first appeared in the Summer 2019 issue of Certification Magazine. Click here to get your own print or digital copy.
Many businesses are moving their operations online in order to enable customers to access data and engage in transactions whenever they want, from wherever they want. Almost everyone's goal is to facilitate real-time communication and collaboration between employees in different states and countries, as well as with business associates from across the globe.
This means a rapidly escalating level of sensitive data is being shared online. And with e-mail, mobile, and web applications increasingly targeted by eager attackers, securing applications and data becomes a more important priority every day. It's no longer enough to just protect your network and endpoints. Applications that aren't locked down have become a major liability.
In May, Equifax became the first company to suffer a business rating downgrade as a direct result of a cyberattack — the enormous 2017 breach that remains a painful thorn in the company's side. This can happen to any enterprise that handles sensitive data. Just one vulnerable application can increase a company's risk of suffering a data breach.
The number of companies that are moving cybersecurity to the top of their list of priorities is increasing. This is why more and more enterprises are hiring application security engineers. And right now, application security engineers are being hired at premium salaries.
According to jobs site Indeed, the average annual salary for an application security engineer in the United States is $131,762, which is higher than the average annual salaries estimated by Indeed for IT security specialists ($117,641) and security engineers ($103,214).
An application security engineer is responsible for implementation of secure practices and technologies at each stage of the Software Development Life Cycle (SDLC). The engineer is also expected to support application developers through each phase of the SDLC.
Application security engineers are generally required to have some degree of direct involvement in the following:
Define and maintain security policies, procedures, and best practices for application development.
Gather security requirements and update and develop security policies and standards, and ensure implementation of the same during the planning stage.
Review application design in collaboration with developers.
Perform threat modeling. This entails compiling an inventory of assets, identifying the impact of each existing and planned application on these assets, defining each application's risk profile, documenting all security incidents and countermeasures taken, and ascertaining potential risks.
Assess the security of third-party applications and ensure these conform to company security standards.
Review existing application code for vulnerabilities, identify root causes of vulnerabilities, and define measures to remove these risks.
Recommend technologies and industry best practices for creating code.
Ensure application security controls are adequate and implemented in accordance with company security policies and standards.
Perform penetration testing and vulnerability analysis.
Develop, implement, and maintain security tools and procedures.
Develop, implement, and maintain comprehensive application testing that is in-depth and up-to-date. Integrate automated static and runtime testing and reporting into the SDLC for new applications as well as those undergoing change.
Determine metrics to be collected for monitoring application security. Automate collection and reporting of metrics on a regular basis, and periodic reporting of application scanning.
Monitor, update, and maintain scanning tools and processes.
Guide developers on scanning, analysis, reporting, and remediation.
Participate in incident response. Work with developers to identify, analyze, and solve security problems.
Write and maintain reports of all security incidents and remediation measures.
Enhance security awareness and ensure the development team is up to date with hacking techniques.
Create and conduct hackathons to enable developers to practice hacking.
Encourage developers to understand the OWASP Top 10 Most Critical Web Application Security Risks and the OWASP Top Ten Proactive Controls.
Develop, update, and implement application security training programs for new recruits as well as experienced members of the development team. Keep track of current application-specific certifications and annual certification requirements.
Changes in technology
It's important to keep yourself informed about advances in web and mobile application technology and developments in application security. A good application security engineer needs to keep pace with changes in order to be able to protect the company's applications and data.
You need to also stay informed of changes in security technology tools, as well as changes in approach. According to Jay Kelath, Director of Product Security for Dow Jones, Interactive Application Security Testing (IAST) and Dynamic Application Security Testing (DAST) are the new technologies to watch.
Kelath also refers to the solutions-based approach to application security. Instead of discovering vulnerabilities in applications and resolving them, some application security teams are focusing on developing common solutions that developers can use.
Training and employment background
A bachelor's degree in computer science or a related subject is commonly included as an educational requirement in job listings for application security engineers, though some prospective employers prefer a master's degree. You can also consider degrees in cybersecurity. Quite a few leading universities today, including Carnegie Mellon and the NYU School of Engineering, offer cybersecurity courses.
Though online courses are not a substitute for a university degree, a good MOOC can help you get started on learning about cybersecurity. MOOC providers like Udacity, Coursera, and Cybrary offer courses on a variety of cybersecurity subjects, and many universities and tech companies offer similar online learning environments.
Solid real-world experience in application security or development carries a lot of weight and can sometimes result in an individual's being hired even if he (or she) doesn't have a relevant degree. Companies wanting to hire application security engineers typically look for at least two-to-three years in development of software products or services.
Application security engineering is still a relatively new field, and many companies lack the wherewithal for employees to learn on the job. An experienced application security engineer who knows what it takes to provide reliable application security can hit the ground running from day one.
Learn by doing
There are a number of ways to gain hands-on experience. Most Fortune 500 and other large companies are now hiring application security engineers. A stint as a member of an application security or development group at one of these enterprises can teach you how to actually secure a product or service.
A job at an application security software firm in product development or security can also help you gain valuable experience. Consulting companies offer aspiring application security engineers the opportunity to work with a wide range of businesses and technologies, thereby enabling them to develop extensive knowledge and skills.
It's up to you to gain relevant experience. Whether one is employed as an application security engineer or yet to secure employment in the area, participating in various security programs organized by open source communities is another effective means of building skills and getting exposure. When recruiters see that you have succeeded in discovering bugs on some of these open source projects, they understand that you have expertise that they could use.
Amazon, Facebook, and Google sponsor bug-discovery programs that pay people to detect vulnerabilities. It's not the money that's important and valuable here, so much as the proof of applicable expertise. Recruiters want to see what candidates have actually implemented. Other open source projects include the Open Web Application Security Project (OWASP).
If you are already working in IT, then volunteering to assist the application security team in your company can help you build application security skills in your spare time and demonstrate your interest and commitment to your employer. It might help you get a transfer to the application security department, and even if it doesn't, it's a great way to gain exposure and learn, as well as a valuable addition to your resume.
You should also consider working on your communication skills. The ability to write coherently or deliver a presentation — on the importance of writing secure code and how to go about it, or on resolving vulnerabilities, or on testing results — is a skill that employers often look for when hiring application security engineers.
Though certifications aren't key criteria for companies looking to hire application security engineers, relevant credentials demonstrate that you have invested in learning. Applicable certifications from the SANS Institute (GIAC), (ISC)², and ISACA are often requested by some employers, in addition to other qualifications.
Certified Secure Software Lifecycle Professional (CSSLP) is a globally-recognized certification from (ISC)². This credential validates advanced technical expertise in application security.
To earn the CSSLP, you need to have at least 4 years of cumulative professional experience as a software development professional in one or more of the 8 domains of the (ISC)² CSSLP Common Body of Knowledge (CBK) and pass the CSSLP exam, complete the online endorsement process, and formally commit to support the (ISC)² Code of Ethics. Details are available online.
The GIAC Web Application Testing (GWAPT) credential demonstrates knowledge of web application exploits and penetration testing methods. To earn the GWAPT, you need to pass one 2-hour, 75-question proctored exam with a score of at least 71 percent. Details are available online.
The Certified Ethical Hacker (CEH) is a vendor-neutral certification from industry association EC-Council. This credential demonstrates applicable knowledge of ethical hacking and is a useful acknowledgment of various skills that are needed for secure application development.
To earn the CEH (ANSI) credential, you need to either complete EC-Council's official training or have proof of at least two years of professional experience in information security, and pass the EC-Council CEH exam. To earn the CEH (Practical) certification, you need to purchase the exam dashboard code and pass the CEH (Practical) exam. Details are available online.
Other applicable certifications include CompTIA Security+, Certified Application Security Engineer (CASE), and Offensive Security Certified Professional (OSCP). OSCP is also a suitable credential for those aspiring to become penetration testers.
As cybersecurity becomes ever more challenging for businesses, the demand for application security engineers is expected to rise. By gaining relevant experience and qualifications and focusing on improving the security of internal and external applications without affecting availability and performance, you can build a rewarding career as an application security engineer. Be curious and proactive, and keep learning and implementing.