How to Become an Application Security Engineer
By: Nick Werner
I decided to write this article because application security is a really interesting area of security and the demand for talented application security professionals is rapidly growing. It also seems to be a less known area of security compared to other roles such as Penetration Tester, SOC Analyst, etc. so there are a ton of jobs available and awesome salaries.
And yes, application security can also encompass bug bounty which seems to be a hot topic at the moment within the security community. Everyone seems to be a bug bounty hunter or security researcher nowadays because it’s the cool thing to do but it’s a lot more challenging than people give it credit. I know quite a few successful people who participate in bug bounty programs but it’s really difficult especially for new people so I wouldn’t recommend it. With that being said, Bugcrowd and HackerOne are free and they have academy websites that you can check out as well if that’s something that really interests you.
To preface this article, I am currently working as an Application Security Engineer at a Fortune 100 company so I feel like I have a good insight into how to land an application security role and what to expect. Before this role, I was working as a Cybersecurity Analyst for about a year and had various IT related internships while I was finishing my Bachelor’s Degree in Information Systems.
Let’s start off by explaining what an Application Security Engineer is and what kinds of responsibilities you can expect to have. An Application Security Engineer is responsible for securing a companies web applications and/or mobile applications. Typical responsibilities include:
- Performing code reviews to find and mitigate vulnerabilities within applications or source code.
- Working alongside application developers to provide guidance on how to fix vulnerabilities within their applications.
- Scheduling scoping calls for penetration tests (if you don’t perform the penetration testing yourself).
- Remediating any vulnerabilities found during the penetration test.
- Configuring and/or making changes to a web application firewall (WAF) which includes whitelisting and blacklisting IPs, responding to security incidents, etc.
- Managing your companies’ bug bounty program (if it has one). I mention this because I’ve seen it on job descriptions before but I’ve never had any experience with this so I couldn’t tell you what it entails.
There are probably some other responsibilities that I’m missing but it honestly varies from company to company so listing all of the responsibilities that I’ve ever seen would make this article really long and boring.
So what are some of the skills that are required for this position?
NOTE: It’s should be understood that there are some prerequisite skills required such as basic understanding of networking and security. If you want to learn more about some of the prerequisite skills and some resources to learn those skills, here is another article of mine about how to break into cybersecurity which includes some advice and resources for those just starting out in IT and security.
https://nicholaswerner.medium.com/breaking-into-cybersecurity-f319812463d4
Moving along, some of the required skills include:
- Understanding and memorizing the OWASP Top 10 (just kidding you don’t have to memorize it but you do need to have a good understanding of it. This means understanding common vulnerabilities such as XSS, SQL injection, etc. and how to mitigate them)
- Understanding how to read and write code (sorry). Some great languages to learn include: HTML, CSS and JavaScript. Some optional languages to learn are: Java, C++, Python.
- The ability to communicate effectively with development teams.
These last 2 aren’t absolutely necessary but you should probably at least look them up before an interview.
- Familiar with CI/CD pipelines (you probably don’t know what this means so I’ll explain it). It’s basically the process of enforcing automation in building, testing and deployment of applications.
- Familiar with vulnerability scanning tools such as Sonarqube, Veracode, Checkmarx, etc.
Now that I’ve gone through some of the skills required for an Application Security Engineer here are some great resources that can help you to build those skills!
- PortSwigger Academy (teaches almost every vulnerability you can think of and how to exploit them)
- Pentester Labs (great for learning basics and how to perform code reviews)
- Code Academy (great place to learn any programming language)
- Kontra (another great resource to learn how to secure code)
- The Web Application Hacker’s Handbook (you can find this book on Amazon and it covers so much)
- Alice and Bob Learn Application Security by Tanya Janca (this book is great and I think that she also has a course on YouTube @ SheHacksPurple if you don’t want to read the book)
- TryHackMe (has a web fundamentals path which is pretty good)
In all honesty, you don’t need to go through all of these resources but if you do then you’re going to be an AppSec beast!
Anyways, if you’ve made it this far in the article then I commend you and I hope that this was useful! If you’re still on the fence about diving into application security after reading this, that’s OK. I recommend going through TryHackMe’s Web Fundamentals path first and making a decision after that. As always though, if you have any questions please feel free to reach out to me as I am more than happy to help however I can! Thanks for reading :)