Home -> Career Paths -> Application Security (AppSec) Engineer Career Path
Application Security (AppSec) Engineer
Career Path
Application Security Engineers are responsible for securing data, systems, and applications. They ensure that an organization’s applications and services follow best security practices and align with their organization’s risk profile.
How to use the information on this page: We’ve gathered information from real job postings across numerous organizations, research papers from third parties, and by interviewing AppSec professionals in order to compile a comprehensive and actionable career path. The hope is that this information serves as a roadmap to help you identify where you should personally focus your learning efforts in order to become an AppSec Engineer. Of course, everyone is different. That means you might be starting from zero, or you may already be beyond the basics. Either way, we’ve tried to provide this information in a way that will help you throughout your career, and we will keep it as up-to-date as possible. With that said, please contact us if you think we missed something important or if something needs to be updated!
Table of Contents
More of a visual learner? Here’s a graphical roadmap.

1. Summary
Fundamentals
The fundamentals are core areas and skills, languages, or tool, that you should know. This doesn’t mean that you need to master them all. Some will be recommended, while others are great to know but not as high on the priority list. Also, just because there may be multiple tools, languages, or skills under one section, it doesn’t mean you need to know all of the recommended ones. For example, with programming languages, you don’t need to know all of them. Learn 1 or 2 well, and not only will you have a solid foundation, but it will be much easier to learn the others if needed down the road.
Programming Languages:
- Recommended:
- JavaScript
- Python
- Java
- PHP
- .NET
- Great to know:
- Go
- Ruby
- BASH
- Git
Experience with:
- Software Development Lifecycle (SDLC)
- Test-Driven Development (TDD)
Strong understanding of:
- Recommended:
- OWASP top 10 vulnerabilities and methodologies
- CWE Top 25
- The Twelve-Factor App
- Great to know:
- MITRE ATT&CK
- HackerOne top 10 vulnerabilities
- Writing test cases
- Manual testing
- Automated testing
- Experience with testing tools
- Dynamic & static testing
- Source code reviews
Networking:
- Networking basics as they relate to development:
- DNS
- HTTP(s)
- Ports
Linux and Server Administration:
- Setting up web application servers
- Creating development, staging, and production environments
Ability to:
- Create threat models
- Perform security risk assessments
- Perform vulnerability assessments
Communication skills:
- Writing reports
- Effective presentations
- Explaining technical concepts to non-technical people
- Documentation
Specializations
These are areas of specialization that you can focus on. While an exposure to a little bit of everything is recommended, most tend to naturally gravitate towards one area over others.
- Web Applications
- Mobile Applications
- Serverless Applications
Differentiating skills
These skills tend to increase pay and job market desirability, but they are usually acquired after fundamentals as well as specializations and aren’t considered starting points.
- Cloud
- DevSecOps
- Exploit development
Career Paths
While job positions come in all kinds of different names, jobs related to AppSec skills tend to fall under one or more of these categories. This gives you an idea of the different paths you can go down by building these skills over time.
- Software Developer
- Application Security Engineer
- Web Pentester
- Bug Bounty Hunter (full time or part time)
- Consulting
- DevOps Engineer
Certifications
Can certifications give you an edge? Are they required to get jobs? Let’s take a look!
- Are they worth it?
- Many jobs require them, or at a minimum look favorably upon them
- Which ones are requested most often in job postings related to AppSec positions?
- CISSP, GIAC, CEH, CSSLP, OSCP, CCSK (or CSEP), CRISC
2. Jobs
This information is pulled from a combination of real online job postings and has been summarized. Search term(s) used: “Application Security Engineer”
Demand: high
There are many open jobs for this specific search term at various levels of experience (beginner to senior). Application Security skills also rank as the highest in terms of skills shortage across multiple recent reports third-party reports. [view sources]
Common Responsibilities
- Find application security weaknesses
- Security-related testing (test cases), manual & automated (dynamic and static)
- Documentation
- Properly classify and communicate severity & impact of vulnerabilities
- Develop solutions to remediate findings
- Manage the lifecycle of vulnerabilities from identification to remediation and reporting
- Provide security guidance to engineering teams
- Application pentesting
Common Requirements
- Bachelors degree (frequently, but not always seen)
- Experience with:
- AppSec
- Pentesting
- Vulnerability management
- Programming languages (most often seen):
- Java
- PHP
- .NET
- Python
- JavaScript
- Experience with:
- Source code reviews
- Vulnerability detection
- Root cause analysis
- Experience with testing tools (most often seen):
- BERT
- Acunetix360
- Checkmarx
- SysDig
- Whitesource
- Fortify
- Excellent verbal and written communication skills (ie: communicating technical concepts to non-technical audiences effectively)
- Project management skills:
- Working on multiple projects at the same time
- Managing priorities
- Managing deadlines
- Deep understanding of:
- OWASP Top 10
- CWET Top 25
- Good to know:
- MITRE ATT&CK
- Experience with threat modeling and security risk assessment
- Experience with TDD & SDLC practices
Great to have (and more commonly required in Senior jobs):
- Exploit development
- Certifications:
- CISSP
- GIAC
- CEH
- CSSLP
- OSCP
- CCSK or CSEP
- CRISC
- DevSecOps experience:
- Implementing CI/CD pipelines
- Managing secrets
- Cloud experience:
- Architecture
- Design patterns
- Security risks
- IAM (Identity & Access Management)
- Networking security
- Understanding of encryption:
- Secrets management
- Authentication
- Data masking
- Implementation
- Automation tooling:
- Ansible
- Puppet
- Jenkins
- Terraform
- API security
- Bug Bounty experience
- CTF experience
3. Learning Paths
There are many open jobs for this specific search term at various levels of experience (beginner to senior). Application Security skills also rank as the highest in terms of skills shortage across multiple recent reports third-party reports. [view sources]
Foundations
Learn Programming Languages
Very important for web (pick 1-2 of these and focus)
- Java
- PHP
- .NET
- Python
- JavaScript
- C
Very important for mobile
- Swift
- Android Java
Important
- Ruby
- SQL
Useful
- Angular
- Vue.js
- React
- Bash
- Go
Programming Tools
- Git
Programming Concepts
- Data structures, Trees, Sorting, etc…
- Encoding/Decoding
Basic Server Administration
Operating Systems:
- Important:
- Linux
- Useful:
- Windows
Webservers (pick 1 and learn it well)
- Important:
- Apache
- Nginx
- Useful:
- Tomcat
- IIS
Caching
- Important:
- Redis
- Useful:
- Memcache
Databases (dabble in both SQL and NoSQL)
- SQL
- MySQL/MariaDB
- PostgreSQL
- MSSQL
- NoSQL
- MongoDB
- Cassandra
- AWS DynamoDB
AppSec Security Path
Networking Fundamentals
- TCP/IP fundamentals
- DNS fundamentals
- HTTP
- FTP
Software Development Lifecycle (SDLC)
- Planning and requirement analysis
- Defining requirements
- Designing the product architecture
- Building and developing the product
- Testing the product
- TDD (Test-Driven Development)
- Security testing
- Writing test cases
- Manual testing
- Automated testing
- Testing tools
- Dynamic and static testing
- Source code review
- Deploying to market and maintaining
- Waterfall vs Agile vs Rapid development
Vulnerabilities
- Web:
- OWASP Top 10 for Web
- OWASP Top 10 for APIs
- OWASP Top 10 for Serverless
- HackerOne Top 10
- Mobile:
- OWASP Top 10 for Mobile
- CWE Top 25
- MITRE ATT&CK
- Vulnerability Assessment (Pentesting)
- Tooling
- Methodologies
- Google Dorking
Cloud
- Concepts:
- Identity and Access Management
- Data Protection
- Infrastructure and Network
- Monitoring & Logging
- Security Risks
- AWS
- Azure
- GCP
Exploit Development
Cryptography Fundamentals
- SSL
- HTTPS
- Implementation
- Authentication and data masking
- Hashing
AppSec Frameworks
- Web:
- OWASP ASVS
- Mobile:
- OWASP MASVS
- OWASP SAMM
- OWASP Proactive Controls
- Threat Modeling & Security Risk Assessment
DevSecOps
- Infrastructure as Code
- Configuration Management
- Ansible
- Puppet
- Chef
- Salt Stack
- Containers
- Docker
- rkit
- LXC
- Infrastructure provisioning
- Terraform
- AWS CloudFormation
- Azure Templates
- Google Deployment Manager
- CI/CD
- Jenkins
- Circle CI
- Travic CI
- Gitlab CI
- GitHub Actions
- Secrets Management
- Configuration Management
Logging & Monitoring
- Error logging and monitoring
- Performance logging and monitoring
- Web
- Mobile
- Cloud
© Cybr, Inc. All Rights Reserved.
