Our last article examined the salaries, job trends, and the relevant certifications for a Web Applications Penetration Testing. As it was discussed, this will be an explosive area of growth in the coming years. But, there is another field of Information Technology related to this, and this is Applications Security.
This is a much broader area than Web Applications Pen Testing, because it encompasses all realms of software applications security (not just those that are Web based), and the source code which underlies them.
Software applications can include anything and everything imaginable, and there is no particular restriction on the programming language that is being used to create them (such as those of Visual Basic, ASP.NET, PHP, Perl, Ruby on Rails, etc.).
The Related Certification
Because this is such a broad field, a specific IT cert has been created for this, known as the “Certified Application Security Specialist”, or “CASS” for short. This has been designed to test the candidate’s knowledge in the realms of software applications security, and how to write secure source code.
The following subject areas are tested, and in fact, it is recommended that a candidate should have several years of practical experience in them:
*The ability to formulate secure source code in the Application Development Lifecycle methodology;
*How to scan for malformed source code;
*The ability to deal with “flawed” raw data;
*How to create and deploy a set of best practices for source code development;
*The basic concepts of Network Security;
*How to create and implement Security profiles for WS Security, XKMS, and WS-I;
*When to properly escalate software application development permissions;
*Properly dealing with SQL Injection Attacks and those that are also related to Oracle PL/SQL;
*How to securely manage session states;
*Dealing effectively with ASP.NET Security issues;
*A working knowledge of Cryptography as it relates to software applications development.
The Average Salary of an Applications Security Specialist by Geographic Location
Given the very broad tasks that are involved with being an Applications Security Specialist, the salaries will vary quite a bit. For example, the range is from $42,371.00 all the way to $112,536.00. Given this, the median is at $73,351.00.
Given that this is a high demand field, many times there will also be signing bonuses offered not only to attract the best candidates but to retain them as well for long periods of time. Thus, the range for a signing bonus is anywhere from $296.00 all the way to $112,536.00. Companies also typically offer a profit sharing plan for their Application Security Specialists, and this can be as high as $40,547.00 per year.
The following table illustrates the salary breakdown by geographic location in the United States:
|San Diego, CA||$150,000.00|
|San Ramon, CA||$218,000.00|
|San Francisco, CA||$202,000.00|
|San Antonio, TX||$141,000.00|
|Jersey City, NJ||$125,000.00|
As one can see from the table, there is a wide geographic spread for an Applications Security Specialist. This further illustrates the sheer need for this role, no matter where the job site is located at. But, the salary breakdowns differ quite a bit. For example, California and Texas command the highest salaries, with San Ramon, CA and San Francisco, CA leading the list.
It appears that the Midwest region is lower on the pay scale range, with the example being that of Columbus, OH. The East Coast cities of Lexington, MA and Jersey City, NJ are in the mid-range. These breakdowns indicate that the geographic location of where an individual wants to work at will be a key, influential variable for how well he or she will be compensated.
The Average Salary of an Applications Security Specialist by Job Title
|Data Security Analyst||$63,140.00|
|Information Security Analyst||$70,557.00|
|Information Security Manager||$107,000.00|
|Information Security Engineer||$91,539.00|
|Security Administrator – Computer Networks||$65,749.00|
|Security Architect -IT||$120,491.00|
It should be noted that the salaries associated with these titles do not take into account any type of geographic location. As mentioned, since the field of applications security is so broad, there are other job titles (such as those listed in the table) that perform some sort of applications security testing in them.
Therefore, when conducting a job search, a candidate will find a mix of these various titles along with the Applications Security Specialist title directly (which might be only a few).
The average salary of these job titles is at $84,161.00. The highest paying jobs are those with either a “Manager” or an “Architect” title associated with them.
The field of applications security and its related job titles is a heavily male dominated one, with 83% of the workforce being male, and 17% being female. The following table demonstrates the breakdown of the years of experience of this workforce:
|Years of Experience||Percentage|
|Less Than 1 Year||17%|
|20 + Years||4%|
Therefore, a candidate whom wishes to enter the field of applications security and command a high salary should have at least a university degree, 5-9 years of relevant experience in one of the job titles listed in the table, possess the CASS Certification, and be willing to locate to either Texas or California, as these current statistics indicate.