Lesson 2 of 26
In Progress

About AppSec as a job

Christophe April 1, 2020

We’ve become so accustomed to seeing reports of high profile hacks that it’s no surprise when a new big one happens. And we’re talking about very public hacks on organizations that have massive budgets compared to small businesses. Most of the small business hacks don’t make it on the news, even if they can have even more severe consequences to the business.

And while all of these hacks could have been avoided, the fact of the matter is that this is complicated business. So complicated, in fact, that businesses hire people whose job it is to secure their applications. Sometimes even entire teams or departments are dedicated to this stuff.

If you’re here, you’re probably interested in getting a job in application security, or you already have a job in the field and you’re looking to formalize your learning. This video lesson is more for the people who are looking to enter this field and this is their starting point. 

Let’s answer questions you most likely have

So, this lesson aims to answer questions that you most likely have, such as:

  • What kinds of jobs can I get with Application Security skills?
  • What are the requirements for those jobs?
  • What kinds of salaries could I expect?
  • and more

Let’s start with the first question since it will help us answer the others: “what kinds of jobs can I get with Application Security skills?

What kinds of jobs can I get with AppSec skills?

You can do this by using a number of different job search engines. In this lesson, we use the Google one.

Job search for Application Security jobs

From there, select your location and any other filters you want. I’ll just select Austin TX for our example.

When I did this search, there were a lot of different application security engineer positions — “Application Security Engineer, App Sec Architect, Product Security Engineer, Application Security Manager, etc.”

If you see any position that piques your interest in particular, look at those requirements, compare to your current skill set, and then at the end of this course, you will have a better idea of where your knowledge gaps are so that you can focus in that area.

Not all of these post the salary range, but you can get an idea of typical pay by looking at the bottom, which pulls from other websites. There are websites like indeed, glassdoor, and salary.com which can give you a better salary range based on your experience level and other factors.

So looking at all of these questions, here’s what we can say in general:

  • Salary ranges are always really hard, because they depend on too many factors, but when I looked at positions in Austin, for entry level, most of them had a starting salary range of just about $80k, so getting to six figures is definitely achievable either right away or as you get more experience under your belt.
  • As an Application / Software Security Engineer, you can expect to:
    • Develop and write new (or modify existing) computer applications, software, or specialized utility programs following software security best practices — so it’s important that you understand those security best practices and that’s a big part of this course
    • You can also be expected to secure new or existing applications that others have developed, which means you need to be able to understand and analyze other people’s code, ensure that this code meets software security best practices, and that it aligns with your businesses’ risk appetite.
  • This all means that you also need to put yourself in the shoes of an attacker and identify the potential different paths through your application that attackers can use to do harm to the business. So you need to be able to think through not just the code, but the entire application as a whole. Because that application likely speaks to a database, likely has authentication, sends information over a network, etc…these are all attack vectors that must be kept in mind

That doesn’t mean you need to have thorough understanding of infrastructure security, or networking security, because maybe you are in a large enough organization that has teams dedicated to that and so you have a more narrow area of focus. But if you’re part of a small business or smaller startup, it very well could be that you’re also entrusted with those areas of responsibility. Regardless, I highly recommend that you aim to understand as much of the entire picture as you can, because at the very least you can then speak intelligently about it.

Closing Remarks

As we wrap up this lesson, in the next lesson, we’re going to explore the NICE Framework and the Open Web Application Security Project or OWASP for short to explore this in more detail because they both provide blueprints to better understand specialty areas, work role tasks, and necessary knowledge, skills, and abilities. OWASP has also developed standards that will prove to be incredibly helpful throughout this course and throughout your career in cybersecurity.

So with that, let’s mark this lesson as complete and I’ll see you in the next one!

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.