Application security: Is AppSec the right career for you?
The world is increasingly digital — particularly with today’s remote work and remote learning landscape. Enhancing security in the applications that we have all come to rely on every day has never been more important. As such, we are now seeing tremendous growth in the field of application security (AppSec), or the process of finding, fixing and enriching the security of apps to protect an organization’s data.
The cybersecurity specialists who carry out this work hold the job of an AppSec professional.
Proactively managing software risk is a big job and the career opportunities in this growing field are widespread. Virtually any business that makes software or uses it requires the skills of AppSec engineers, managers, analysts, consultants and numerous other role titles.
What should you learn next?
“It used to be that you could draw really clean lines around what an application is,” says Sam King, CEO of Veracode. “Now we use API’s, opensource code, containers, infrastructure as code, configurations. … Today, it’s about bringing security to software in whatever form it presents and making it easy for developers to use — but not forgetting about the needs of a security team either.”
What is AppSec?
An organization’s software usually comes from a variety of sources: vendors, internal development teams and even partners. AppSec is meant to secure it all. It can do so during the software development phase, but it is also required as an ongoing effort. To do their work, AppSec pros have numerous tools at their disposal to identify and remediate vulnerabilities.
Gartner defines this as the Application Security Testing (AST) market. It’s buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities, and it’s estimated to be a $3.7 billion industry with 12 percent growth forecasted in 2021.
Part of the industry’s growth is attributed to the rise in popularity of DevOps, or a combination of the terms development and operations. It’s meant to represent a collaborative or shared approach to the tasks performed by a company's application development and IT operations teams. The goal of DevOps is stronger alignment and cohesion between developers and systems administrators. And now, with security, DevSecOps.
“DevOps was gaining momentum because dev organizations realized the need for efficiency and better operations of code when it runs in production,” King said. “They wanted to break down silos and therein was an opportunity for the security team to say, if we’re going to change our practices around how we develop and deploy code, then why don’t we also include security as part of those new practices?”
What does an AppSec pro do?
To boost security and protect data, AppSec engineers work in partnership with developers, IT and others to set security policies for applications and build proactive programs that address the entire software lifecycle — from development to end of life. They also measure program results and report on progress, often supporting an organization’s Chief Information Security Officer (CISO).
Because software is never really finished — it’s almost always on a regular update schedule and deployments are continuous — it’s important for security to be both a development consideration and an ongoing priority. For the day-to-day tasks of AppSec pros, that often means the implementation of frequent vulnerability tests.
There are four broad types of application security tests:
- Dynamic application security test (DAST): Black box testing using a scanner
- Static application security test (SAST): White box testing of the source code
- Interactive application security test (IAST): Tests while the application is running
- Software composition analysis (SCA): Tests open-source code not written by the team
Testing is an important strategy for achieving the goal King outlines: the protection of any line of code that is used for a critical process or that will transact critical data.
What does it take to work in AppSec?
AppSec roles are available at every level, from beginner to more advanced for those that already have strong cyber experience and are looking to make a change. For anyone interested in AppSec, being able to demonstrate your technical skills is important.
You might start with a few of these training options or certifications:
- On-demand training like the OWASP Top 10, Offensive Bash Scripting, Python for Pentesters, Introduction to Vulnerability Management and secure coding
- Certification, such as the Infosec Institute Certified Mobile and Web Application Penetration Tester and (ISC)² Certified Secure Software Lifecycle Professional (CSSLP)
- Hands-on cyber ranges and projects covering secure coding, the secure software development lifecycle, application pentesting and more
FREE role-guided training plans
For King, it’s also about how you do what you do, including hot topic areas like communication, collaboration, out-of-the-box thinking and how you handle challenges.
“Show your growth mindset and have a willingness to learn,” she says. “There are so many opportunities in this sector.”
To learn more about what it takes to work in AppSec, watch our Cyber Work Podcast, Building a billion-dollar cybersecurity company with Sam King.
Sources
- Gartner forecasts worldwide security and risk management spending to exceed $150 billion in 2021, May 2021, Gartner Press Release
- What is DevOps?, TechTarget
In this Series
- Application security: Is AppSec the right career for you?
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity