Application Security Engineer: Job Role and Key Skills for 2021

An application security engineer ensures that every step of the software development lifecycle (SDLC) follows security best practices. They are also responsible for adhering to secure coding principles and aid in testing the application against security risks/parameters before release. So, what do you need to succeed in this job? Read this article to understand the nuts and bolts of the job role. Learn the essential skill requirements, training opportunities, and salary baseline for application security engineers today.  

Table of Contents

• • Who Is an Application Security Engineer?
  • Key Job Role of an Application Security Engineer
  • Key Skill Requirements for Success in 2021

Who Is an Application Security Engineer?

An application security engineer ensures that every step of the software development lifecycle (SDLC) follows security best practices. They are also responsible for adhering to secure coding principles and aid in testing the application against security risks/parameters before release.

Twenty years back, most of the tasks mentioned above were performed by the quality assurance (QA) team – after the application was written. But agile development has changed the process completely. Today, developers are expected to write application iterations at scale, quickly updating the codebase to meet user expectations. An application security engineer ensures that this continuous development cycle sticks to security principles. 

This doesn’t mean that it is a process-based or iterative job. As cyber threats evolve, application security engineers are increasingly tasked with threat modeling, penetration testing, and ethical hacking to proactively determine the “unknown unknowns” out there. 

Interestingly, the application security engineer job role has existed for a while, if not in those exact terms. Jeff Williams, CTO and co-founder of Contrast Security, entered the field way back in the 1990s. At that time, General Electric (GE) wanted every line of code in their application landscape reviewed for security before going live on the internet. Williams worked at the company managing the data centers where GE’s applications would be hosted. He took charge of reviewing the code against the necessary security standards – which remains central to an application security engineer’s job today. 

This little anecdote illustrates how an application security engineer can be critical to software delivery and support the business as a whole. The growing importance of cybersecurity has caused a sharp rise in demand for application security engineers – particularly if you have prior experience in the field. From a specialized role, the application security engineer job is now highly coveted, and something students prepare for since their early STEM days. As of September 2020, there are over 5,000 application security engineer jobs on LinkedIn (U.S.), with many more vacancies across the world. 

Also Read: What Is Application Security? Definition, Types, Testing, and Best Practices

Key Job Role of an Application Security Engineer

Application security is now a must-have for a variety of organizations. 

You could take your pick from Fortune 500 or 1000 companies, who all build extensive in-house application stacks. Or, you could join an advisory or cybersecurity services provider, which will inevitably include application security expertise. Independent software vendors (ISVs) also have a dedicated application security team to assist in continuous development. Finally, there are emerging opportunities in the public sector, as government agencies embrace digital transformation and use apps to provide citizen services. 

The job role extends well beyond security testing on the SDLC to encompass: 

• Security knowledge capturing and consolidation 
• Strong cryptography capabilities to safeguard data 
• Automation enablement to reduce testing workloads 
• Collaboration on product conceptualization for security by design 
• Rapid decision-making to prevent delayed releases due to security issues 
• Outside-the-box thinking to anticipate possible threats 

Let us consider what an application security engineer’s job role entails, with examples from three leading companies. 

1. A company might need someone to manage automation, like PayPal

When PayPal put out a job ad for an application security engineer, it specifically mentioned its secure product lifecycle(SPLC) and a dedicated application security team. It set out clear expectations, like automating the security scanning process and heading multiple security programs/events. As PayPal follows agile development, security automation in the continuous integration/continuous development (CI/CD) pipeline is critical.

Like PayPal, several companies want highly-specific technical skills such as status application security testing (SAST), dynamic application security testing (DAST), and open-source security (OSS) when hiring for this job. Collaboration is also a big part of the job, as security automation will impact multiple processes across the SDLC to ensure the timely release of secure products. 

Also Read: Application Security Engineer: Job Role and Key Skills for 2021

2. A company could require a cross-disciplinary security expert, like Visa

The same job role at Visa looks slightly different. 

As per its job post, Visa was hiring a cybersecurity engineer with expertise in the application security domain. The company also mentioned that web application development experience was needed for the role along with team leadership skills. Visa’s technical needs are slightly different, as the company was looking for OWASP, CWE 25, data protection, and access management knowledge. 

Like PayPal (and most other companies), embedding security across the CI/CD roadmap is essential to the job. Soft skills like communication and collaboration continue to be critical, as the application security engineer’s job is cross-functional to a certain degree. 

But unlike PayPal, Visa did not mention a dedicated AppSec team. Instead, the company required someone who could work closely with developers and product teams while also building tools, looking after quality assurance (QA), and improving team efficiency.

3. A company might want to strengthen overall cybersecurity competencies, like Verizon

At Verizon, the job role cuts across development, security incident management, and knowledge building, as a shared service provided by a central team called Verizon’s Corporate Information Security (CIS) organization. 

The company explains its intention to strengthen its body of knowledge around cybersecurity and secure coding best practices. Unlike Visa and PayPal, the candidate isn’t expected to build security tools and frameworks from scratch. They are to provide expertise, conduct code reviews, and aid in testing at later stages of the SDLC. There is also a clear focus on knowledge management, as the application security engineer has to build threat/vulnerability repositories, secure code libraries, etc. 

Verizon also prioritizes experience over on-paper credentials. And this is true for much of the industry – even if your formal education degree is in a different field, five years or more of application development experience and a solid portfolio of secure code can carry you through. 

So, why should you look out for job ads like these and apply for an application security engineer’s job role in 2021 and beyond? There are three reasons:

• It is extremely relevant

At a time when automation could be a threat to many process-based/iterative roles, specialized fields like this one promise greater job security. The digital world is built almost entirely around applications, but it is the weakest link in enterprise security. 

Forrester foundOpens a new window that most external attacks are carried out by exploiting a software vulnerability (42%) or a web app (35%), increasing the need to hire application security engineers. Even open-source vulnerabilities have jumped by 50%, so companies need someone to review common code libraries before they can be leveraged. Application security engineering might become a premium STEM job for the next few years, at least, owing to its intersection of strategy and hard skills. 

• It pays well

Application security engineers are among the top earners in computer science and software development, with an average salary of $132,000 per year in the USOpens a new window . Depending on where you are situated. It can go up to $146,136 or more in a city like New York. 

The best professionals in this field frequently branch out as independent consultants, working with top-tier firms to prevent security flaws and conduct root cause analysis when a flaw is exposed. And as we already mentioned, you could work with corporates, government agencies, service providers, or even promising startups, making your mark as the product gains popularity and the startup’s valuation rises in the market.

• It is gratifying
  
  We’d argue that product/application development in itself – no matter your role – is a rewarding job. It gives you a chance to reach thousands of end-users and makes their lives easier. In application security, your skills make a critical difference to the company’s success or failure. You could also have the privilege of preventing large-scale data breaches or application-related cyber attacks that impact society. 

Also Read: Top 10 Application Security Tools for 2021

Key Skill Requirements for Success in 2021

Bachelor’s degree in cybersecurity is a relatively new idea. Most industry veterans come from broader STEM backgrounds, primarily starting in computer science. Application security engineering is a narrow specialization, which typically comes after several years of work in the domain. 

That’s why companies watch out for a set of key skills and personality traits when hiring application security engineers: 

1. The ability to learn on the job 

Every company will have a unique application landscape, and more often than not, they will follow a proprietary application architecture/design. Today, a company’s success depends on its ability to stand out against similar products in the market, making the application security engineer’s job harder. 

When transitioning between companies/projects, you will have to gain familiarity with a different design structure, different delivery modalities, different security risks, and sometimes even a new language altogether. A quick learner will be poised for success, picking up technical skills and business-specific knowledge on the job. 

2. Exposure to penetration testing 

Penetration testing or pentesting is a type of white-box testing where you do not assume any knowledge of the internal source code. You approach the application like a hacker would (in a simulated environment), trying to find vulnerabilities in the application’s multiple vectors. 

In many ways, pentesting is akin to ethical hacking – as you try to exploit vulnerabilities without causing harm. Products that work with sensitive information or see many high-value transactions need exhaustive pentesting before reaching the market. 

Skills in this area can give you an edge over other candidates. The company can save significantly by leveraging an in-house resource rather than a consultant or service provider. 

3. A clear conceptual understanding of the SDLC 

This might sound basic, but the ability to understand, explain, and optimize the end-to-end software development lifecycle is an essential skill for application security engineers. One expert mentionedOpens a new window that “explain SDLC” and “in which phase of SDLC should you integrate security” are two very common questions he has been asked at job interviews. 

Companies will typically build on accepted SDLC guidelines (going agile, following CICD, etc.) to reach their product goals – an application security engineer with a strong foundational understanding of development approaches will work better with different teams and contribute to collaborative outcomes. 

Also Read: What Is Web Application Security? Definition, Testing, and Best Practices

4. Working knowledge of web application security 

Even within this specialized field, web appsec is an emerging area of interest and fast becoming synonymous with application security as a whole. After all, most applications are hosted on the web/public cloud, and this number will only grow in today’s connected world. 

That’s why you have multiple groups like the Web Application Security Consortium (WASC), the OWASP Foundation, and the WebAppSec Working Group to drive innovation in this domain. Brushing up on the latest trends in web appsec before interviewing for an application security engineering job is always a great idea. 

5. Stellar coding skills on the fly 

Like your understanding of SDLC, companies will also want logical reasoning, syntactic knowledge, and the ability to grasp and solve problems quickly. Companies often ask candidates to write a quick program or two to test these skills. 

An expertOpens a new window applying for an application security engineering job at Poshmark (a U.S. e-commerce company) was asked to write two programs in a language of their choice. You should be able to think on your feet, bringing your experience in application engineering to showcase problem-solving skills in tight timelines. 

6. Being an avid reader 

Application security testing is an evolving field, asking you to be curious and interested in new ideas. Someone who is constantly working on self-improvement both professionally and personally, and can intersect this with a genuine interest in cybersecurity, is perfect for the job. By reading up on industry trends, technology innovations, where the market is headed, you can constantly refresh your skill sets. 

Also Read: Coding and Code Security Go Hand-in-Hand: How Can Developers Manage Both?

7. Communication and soft skills 

As most application security engineer job ads tell us, you will have to work with developers, testers, product managers, cybersecurity teams, and business leaders at every step before application release. In smaller companies, it might even be an independent role where you’re given a task – to be executed in collaboration with your peers, without any direct oversight. 

Robust soft skills can help you iron out bottlenecks on the SDLC and understand possible vulnerabilities arising from human error. It will also help to break down the tools and frameworks you develop into easy-to-understand terms, getting buy-in from different stakeholders on your proposed security models. 

8. An impressive portfolio of code 

While this isn’t technically a “skill,” a pre-existing portfolio of secure code will convince recruiters of your skills much more effectively than a paper degree. To achieve this, you can partner with a friend/colleague to build a simple app from scratch using popular open-source libraries. Once you have the client-side code, service-side code, and a dummy database in place, run the application locally or on the cloud. 

Finally, break down the completed app to detect vulnerabilities you introduced or that were pre-existing in the code library. Document the entire process – this will give companies a hands-on view of what you can achieve and your approach for getting there. 

In other words, an application security engineer’s job requires a perfect mix of soft and technical skills, a process-based mindset and creativity, and solid experience and eagerness to learn. Now, you might be wondering about training and upskilling for an application security engineer job. The process is relatively straightforward, and there are several certifications to choose from.

Training for an application security engineer’s job begins when you first pick up a STEM discipline or even start to code without prior certification. It is a lifelong process, enriched by lived experiences, the books you read, as well as the credentials you acquire throughout your career. 

Typically, a software developer or application engineer with a keen interest in cybersecurity will branch out into this field after a few years of experience. Alternatively, a computer science “newbie” might target becoming an application security engineer early on and tailor every career decision accordingly. No matter which road you’re on, there are a few courses and credentials that could make the journey more rewarding. 

• First, we’d recommend a beginner’s level course like Systems and Applications Security provided by (ISC)². It is a 100% online course that takes approximately 16 hours to complete covering basic security concepts for endpoint devices, cloud, big data, and virtual environments. You will learn how to identify malicious code and the processes for securing various application hosting environments.
• For slightly more advanced learners, Identifying Security Vulnerabilities by the University of California, Davis, is an excellent place to start. This course covers secure programming where you learn threat modeling, cryptography, and common application vulnerabilities. There is also a module on data exposure, which can come in handy when applying to companies like Visa and others in the banking and financial services sector.
• Since we mentioned web appsec as a specific area of focus, Udemy’s course for Certified Web Application Security Tester (C-WAST) is worth checking out. It’s highly technical, delving into tools for web application security, standard industry protocol, attack methodologies, and more across four hours.
• Like web appsec, ethical hacking is also a nice-to-have certification – the EC-Council has a Certified Ethical Hacker Program that combines theoretical learning with practical challenges to upskill application security engineers. It is a five-day (40-hour) course, at the end of which you need to complete 20 hands-on tests to obtain the certification.
• There are more holistic courses and certifications if you’re looking for a single degree to act as an all-encompassing credential. Expectedly, these are more grueling and are meant for industry-readiness, in addition to personal upskilling. The Certified Application Security Engineer (CASE) course is a popular choice. It lets students specialize in either .NET or Java frameworks. The course takes you through the intricacies of embedding security in the SDLC across 24 hours of learning content. After completion, you will need to take a two-hour exam.
• Finally, an alternative to CASE is the Advanced Web Attacks and Exploitation (AWAE) course to help earn an Offensive Security Web Expert (OSWE) certification. OSWE is meant for advanced learners specializing in pentesting and security audits – and its difficulty level is right up there. “I assure you there would be moments of total disbelief in yourself and moments of euphoria that you can do everything. And then again, and again. The main rule is to keep doing and don’t give up,” saidOpens a new window one application security engineer (penetration tester) who acquired the certification. 

Also Read: Is Application Performance Monitoring Key To Protecting Critical Infrastructure Against Cyberattacks?

Remember, the learning doesn’t stop once you obtain the certification or get the job. 

As new threats emerge and application design approaches mature, application security engineers will have to keep up with the newest movements and constantly revisit their skill sets. A good application security engineer is an invaluable asset for every company, playing a critical role in software development, compliance, and overall cybersecurity. 

Ultimately, the best application security designers are defined by a degree of chutzpah that helps them accomplish seemingly impossible tasks with uncompromised quality. This could be manually reviewing the entire codebase in a limited timeframe or quickly adapting to a brand-new application design with ease. The courses/certifications mentioned above will set you up for success in an application security engineer’s job in today’s age of digital proliferation. And with a little bit of research, reading, and inspiration from the newest hacking techniques, you will be on the road to success. 

Have you applied or been hired for an application security engineer role recently?  Tell us on FacebookOpens a new window , LinkedInOpens a new window , and TwitterOpens a new window , and help our community gain from your experience!