Application Security (AppSec) Engineer

Home -> Career Paths -> Application Security (AppSec) Engineer Career Path

Application Security (AppSec) Engineer
Career Path

Application Security Engineers are responsible for securing data, systems, and applications. They ensure that an organization’s applications and services follow best security practices and align with their organization’s risk profile.

How to use the information on this page: We have worked to gather information across the internet, from real job postings across numerous organizations, to research papers from third parties, in order to compile the most common findings. The hope is that this information serves as a roadmap to help you identify where you should personally focus your learning efforts in order to become an AppSec Engineer. Of course, everyone is different. That means you might be starting from zero, or you may already be beyond the basics. Either way, we’ve tried to provide this information in a way that will help you throughout your career, and we will keep it as up-to-date as possible. With that said, please contact us if you think we missed something important or if something needs to be updated!

Table of Contents

1. Summary

Fundamentals

The fundamentals are core areas and skills, languages, or tool, that you should know. This doesn’t mean that you need to master them all. Some will be recommended, while others are great to know but not as high on the priority list. Also, just because there may be multiple tools, languages, or skills under one section, it doesn’t mean you need to know all of the recommended ones. For example, with programming languages, you don’t need to know all of them. Learn 1 or 2 well, and not only will you have a solid foundation, but it will be much easier to learn the others if needed down the road.

Programming Languages:

  • Recommended:
    • JavaScript
    • Python
    • Java
    • PHP
    • .NET
  • Great to know:
    • Go
    • Ruby
    • BASH
Programming tools:
  • Git

Experience with:

  • Software Development Lifecycle (SDLC)
  • Test-Driven Development (TDD)

Strong understanding of:

  • Recommended:
  • Great to know:
    • MITRE ATT&CK
    • HackerOne top 10 vulnerabilities
Security testing:
  • Writing test cases
  • Manual testing
  • Automated testing
    • Experience with testing tools
  • Dynamic & static testing
  • Source code reviews

Networking:

  • Networking basics as they relate to development:
    • DNS
    • HTTP(s)
    • Ports

Linux and Server Administration:

  • Setting up web application servers
  • Creating development, staging, and production environments

Ability to:

  • Create threat models
  • Perform security risk assessments
  • Perform vulnerability assessments

Communication skills:

  • Writing reports
  • Effective presentations
  • Explaining technical concepts to non-technical people
  • Documentation

Specializations

These are areas of specialization that you can focus on. While an exposure to a little bit of everything is recommended, most tend to naturally gravitate towards one area over others.

  • Web Applications
  • Mobile Applications
  • Serverless Applications

Differentiating skills

These skills tend to increase pay and job market desirability, but they are usually acquired after fundamentals as well as specializations and aren’t considered starting points.

  • Cloud
  • DevSecOps
  • Exploit development

Career Paths

While job positions come in all kinds of different names, jobs related to AppSec skills tend to fall under one or more of these categories. This gives you an idea of the different paths you can go down by building these skills over time.

  • Software Developer
  • Application Security Engineer
  • Web Pentester
  • Bug Bounty Hunter (full time or part time)
  • Consulting
  • DevOps Engineer

Certifications

Can certifications give you an edge? Are they required to get jobs? Let’s take a look!

  • Are they worth it?
    • Many jobs require them, or at a minimum look favorably upon them
  • Which ones are requested most often in job postings related to AppSec positions?
    • CISSP, GIAC, CEH, CSSLP, OSCP, CCSK (or CSEP), CRISC

2. Jobs

This information is pulled from a combination of real online job postings and has been summarized. Search term(s) used: “Application Security Engineer”

Demand: high

There are many open jobs for this specific search term at various levels of experience (beginner to senior). Application Security skills also rank as the highest in terms of skills shortage across multiple recent reports third-party reports. [view sources]

Common Responsibilities

  • Find application security weaknesses
  • Security-related testing (test cases), manual & automated (dynamic and static)
  • Documentation
  • Properly classify and communicate severity & impact of vulnerabilities
  • Develop solutions to remediate findings
  • Manage the lifecycle of vulnerabilities from identification to remediation and reporting
  • Provide security guidance to engineering teams
  • Application pentesting

Common Requirements

  • Bachelors degree (frequently, but not always seen)
  • Experience with:
    • AppSec
    • Pentesting
    • Vulnerability management
  • Programming languages (most often seen):
    • Java
    • PHP
    • .NET
    • Python
    • JavaScript
  • Experience with:
    • Source code reviews
    • Vulnerability detection
    • Root cause analysis
  • Experience with testing tools (most often seen):
    • BERT
    • Acunetix360
    • Checkmarx
    • SysDig
    • Whitesource
    • Fortify
  • Excellent verbal and written communication skills (ie: communicating technical concepts to non-technical audiences effectively)
  • Project management skills:
    • Working on multiple projects at the same time
    • Managing priorities
    • Managing deadlines
  • Deep understanding of:
    • OWASP Top 10
    • CWET Top 25
    • Good to know:
      • MITRE ATT&CK
  • Experience with threat modeling and security risk assessment
  • Experience with TDD & SDLC practices

Great to have (and more commonly required in Senior jobs):

  • Exploit development
  • Certifications:
    • CISSP
    • GIAC
    • CEH
    • CSSLP
    • OSCP
    • CCSK or CSEP
    • CRISC
  • DevSecOps experience:
    • Implementing CI/CD pipelines
    • Managing secrets
  • Cloud experience:
    • Architecture
    • Design patterns
    • Security risks
  • IAM (Identity & Access Management)
  • Networking security
  • Understanding of encryption:
    • Secrets management
    • Authentication
    • Data masking
    • Implementation
  • Automation tooling:
    • Ansible
    • Puppet
    • Jenkins
    • Terraform
  • API security
  • Bug Bounty experience
  • CTF experience

Common Salaries (coming soon)

  • Austin, TX
  • Atlanta, GA
  • Charlotte, NC
  • Denver, CO
  • NYC, NY
  • San Francisco, CA
  • Seattle, WA

3. Learning Paths

While there are many ways to enter this field or follow this career path, it highlights some of the main skills and knowledge needed to excel. The path is in order from fundamentals to more advanced and specific skills/knowledge, so it’s recommended that you start at the top and work your way down. However, the order in which you follow the path is up to you and merely a recommendation based on our experiences, feedback from the community, and active job postings. 
 
Disclaimer: Some of the linked resources are free, while others are paid. We are not responsible for anything that happens once you leave Cybr or any of our subdomains, as some of these links take you to external websites that we may not be affiliated with. This is a living document and can get updated at any time. If you feel we are missing something, please reach out!

There are many open jobs for this specific search term at various levels of experience (beginner to senior). Application Security skills also rank as the highest in terms of skills shortage across multiple recent reports third-party reports. [view sources]

Foundations

Learn Programming Languages

Very important for web (pick 1-2 of these and focus)

  • Java
  • PHP
  • .NET
  • Python
  • JavaScript
  • C

Very important for mobile

  • Swift
  • Android Java

Important

  • Ruby
  • SQL

Useful

  • Angular
  • Vue.js
  • React
  • Bash
  • Go

Programming Tools

  • Git

Programming Concepts

Basic Server Administration

Operating Systems:

  • Important:
    • Linux
  • Useful:
    • Windows

Webservers (pick 1 and learn it well)

  • Important:
    • Apache
    • Nginx
  • Useful:
    • Tomcat
    • IIS

Caching

  • Important:
    • Redis
  • Useful:
    • Memcache

Databases (dabble in both SQL and NoSQL)

  • SQL
    • MySQL/MariaDB
    • PostgreSQL
    • MSSQL
  • NoSQL
    • MongoDB
    • Cassandra
    • AWS DynamoDB

AppSec Security Path

Networking Fundamentals

  • TCP/IP fundamentals
  • DNS fundamentals
  • HTTP
  • FTP

Software Development Lifecycle (SDLC)

  • Planning and requirement analysis
  • Defining requirements
  • Designing the product architecture
  • Building and developing the product
  • Testing the product
    • TDD (Test-Driven Development)
    • Security testing
      • Writing test cases
      • Manual testing
      • Automated testing
        • Testing tools
      • Dynamic and static testing
      • Source code review
    • Deploying to market and maintaining
    • Waterfall vs Agile vs Rapid development

Vulnerabilities

  • Web:
    • OWASP Top 10 for Web
    • OWASP Top 10 for APIs
    • OWASP Top 10 for Serverless
    • HackerOne Top 10
  • Mobile:
    • OWASP Top 10 for Mobile
  • CWE Top 25
  • MITRE ATT&CK
  • Vulnerability Assessment (Pentesting)
    • Tooling
    • Methodologies
    • Google Dorking

Cloud

  • Concepts:
    • Identity and Access Management
    • Data Protection
    • Infrastructure and Network
    • Monitoring & Logging
    • Security Risks
  • AWS
  • Azure
  • GCP

Exploit Development

Cryptography Fundamentals

  • SSL
  • HTTPS
  • Implementation
  • Authentication and data masking
  • Hashing

AppSec Frameworks

  • Web:
    • OWASP ASVS
  • Mobile:
    • OWASP MASVS
  • OWASP SAMM
  • OWASP Proactive Controls
  • Threat Modeling & Security Risk Assessment

DevSecOps

  • Infrastructure as Code
    • Configuration Management
      • Ansible
      • Puppet
      • Chef
      • Salt Stack
    • Containers
      • Docker
      • rkit
      • LXC
    • Infrastructure provisioning
      • Terraform
      • AWS CloudFormation
      • Azure Templates
      • Google Deployment Manager
    • CI/CD
      • Jenkins
      • Circle CI
      • Travic CI
      • Gitlab CI
      • GitHub Actions
    • Secrets Management

Logging & Monitoring

  • Error logging and monitoring
  • Performance logging and monitoring
  • Web
  • Mobile
  • Cloud

Cybr Courses Related to this Career Path

 © Cybr, Inc. All Rights Reserved.