You are here

Application security and your career: 5 key areas to focus on

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Freelance writer

With the number of software vulnerabilities soaring to new heights—topping 17,000 last year—and breaches constantly in the news, demand for technical experts that can help companies secure their applications has risen dramatically.

Over the past five years, application security jobs with titles such as "application security engineer" have jumped by 74%, according to data from jobs site Indeed.com. Yet the number of searches for such jobs—one proxy measure of supply—has risen by only 13%. 

The shortfall in application security specialists presents a significant opportunity for security-minded developers and team-oriented penetration testers. If you're positioned right you can help to improve software security while advancing your career —and getting a nice salary bump. (The average salary for an application security engineer is $133,443, according to Indeed.com.)

As an application security professional, however, you have to be able to keep pace with faster development, incorporate data security to minimize running afoul of new privacy regulations, and continue to learn new technologies, said Dan Cornell, chief technology officer for software-security consultancy Denim Group.

"Applications are ... not monolithic things — it's the web front end and there are 20 different microservices. When we look at the skills that app sec folks need, it has really expanded. The developers have learned a lot of new stuff, and so application security needs to catch up."
Dan Cornell

Here are five skills and knowledge areas on which current and aspiring application security professionals should focus to advance their careers.

[ Discover how to reduce friction between dev and app sec in this Webinar. Plus: Learn how to build application security into your software with TechBeacon's guide ]

1. Communication

Companies need security people who can work with teams and talk to nontechnical workers about risk. From security champions teaching developers about vulnerabilities to application security management that can keeps executives apprised of risk, the ability to convey the dangers of insecure code is vitally important, said David Foote, principal and founder at Foote Partners, a job-market researcher.

"They are looking for people who can connect technology risk to business risk. Companies want someone who is relevant to all the nontechnical people on the non-business side and who can help them just not be tomorrow's headline or the next breach."
David Foote

Indeed.com's list of top skills for application security engineers, for example, includes analytical ability. 

2. DevSecOps

An application-security professional's primary role is not to just secure software, but to reduce risk while the company undergoes its "digital transformation," a term that has been used so much that it has quickly become a buzzword. But once you "get through the eyeroll," said Teza Mukkavilli, head of information security for online consignment service the RealReal, you'll find that there are essential business needs for companies that are pushing to produce high-quality code ever more quickly.

"In the DevSecOps world, where you are doing multiple releases, it is much more important to teach the developers to spot these issues before they come to them. Some of the static tools produce more noise than signal, and you just cannot rely on tools that do that, because it slows you down."
Teza Mukkavilli

The result is a demand for security integrated into the DevOps pipeline or agile-development process, and for professionals who can teach developers better security. These so-called security champions often spend part or most of their time developing, and thus present a good path for developers to move into security, Denim Group's Cornell said.

"It's really healthy to take developers and give them special training," he said. "Ultimately you can use those embedded security folks as a conduit to notify the central security groups of things that are happening."

[ Take a deep-dive with our Application Security Trends and Tools Guide, which includes TechBeacon's 2019 App Sec Buyer's Guide. ]

3. Automation

Speed requires automation. No wonder, then, that Indeed.com's list of the 15 most popular skills for application-security engineers includes many that have to deal with automation: continuous integration and deployment (CI/CD), DevOps, and scripting.

Security professionals not only need to know how to automate their own processes, but how to work with automated development pipelines, said Nir Valtman, Head of Product & Data Security at the financial-services firm Finastra.

"At the end of the day, it is all about automation. We want to integrate the security tools into the pipelines, and to do that we do need additional skills that sit somewhere between infrastructure and code. The deliverable for developers is infrastructure as code, so for security it has to be security as code."
Nir Valtman

Automation skills fetch a significant premium. Security professionals with test automation skills in their bag of tricks fetch a 12% premium, according to Foote Partners. 

4. Privacy

The enforcement of the General Data Protection Regulation (GDPR) has lead to multimillion-dollar fines in the European Union against US companies, so application security professionals need to be well-versed in data security, Finastra's Valtman said.

"The app sec people and the app sec architectures need to be aware of those requirements. Pen testers need to know as well."
—Nir Valtman

And because of the new California Consumer Privacy Act, almost every US company will also need to take privacy into consideration in their applications, said the RealReal's Mukkavilli.

"With GDPR, privacy and security are becoming two sides of the same coin," he said. "The big leap for someone to move from a developer to an application security expert is mostly around understanding the risk that faces a company, and some of the key aspects of that risk are the new regulations out there."

5. Check off all of the boxes

While the softer and more general skills are important, most companies have a laundry list of technical requirements as well—and those have changed over the last few years.

The top skills listed in job postings on Indeed.com, for example, are Python, Java, the secure development lifecycle, and Amazon Web Services.

At the business level, "it's important to be able to innovate faster and break down silos," Denim's Cornell said. At the development-team level, it's important to move to DevOps, he said. And from a culture standpoint, "it is about CI/CD pipelines, microservices architecture, and cloud services."

Also on Indeed.com's top in-demand skills list: JavaScript, encryption, CI/CD, the C language, and Ruby.

It's a supply and demand issue

The right set of skills can demand a premium at many companies. Because businesses are desperate to speed up their operations and deployment, that means finding people who can secure their systems at the same speed, Foote said. 

DevSecOps can lead to an average pay bump of 18%, while just knowing the ins and outs of DevOps adds 15%, according to Foote Partners' quarterly survey. Penetration testing accounts for a 15% increase in salaries, while knowledge of continuous integration or test-driven development adds 14%.

"They are looking for people will a natural curiosity about the world and where the threats are coming from. They want people who will always be on the hunt. So, make yourself valuable in this industry— focus on the big picture, not just the small stuff."
—Foote Partners survey

Because the landscape changes quickly, applicants who focus on continuous learning are the most valuable, said Finastra's Valtman. Companies that ask too many questions about specific technologies may miss the best candidates.

"Today we have containers—tomorrow we will have another technology that the app sec teams will have to adjust to," Valtman said. "The most important skills today are those that give you the ability to investigate new technologies."

[ Get Report: Gartner Magic Quadrant for Application Security Testing ]