The cybersecurity specialists who carry out this work hold the job of an AppSec professional. Proactively managing software risk is a big job and the career opportunities in this growing field are widespread. Virtually any business that makes software or uses it requires the skills of AppSec engineers, managers, analysts, consultants and numerous other role titles. “It used to be that you could draw really clean lines around what an application is,” says Sam King, CEO of Veracode. “Now we use API’s, opensource code, containers, infrastructure as code, configurations. … Today, it’s about bringing security to software in whatever form it presents and making it easy for developers to use — but not forgetting about the needs of a security team either.”
What is AppSec?
An organization’s software usually comes from a variety of sources: vendors, internal development teams and even partners. AppSec is meant to secure it all. It can do so during the software development phase, but it is also required as an ongoing effort. To do their work, AppSec pros have numerous tools at their disposal to identify and remediate vulnerabilities. Gartner defines this as the Application Security Testing (AST) market. It’s buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities, and it’s estimated to be a $3.7 billion industry with 12 percent growth forecasted in 2021. Part of the industry’s growth is attributed to the rise in popularity of DevOps, or a combination of the terms development and operations. It’s meant to represent a collaborative or shared approach to the tasks performed by a company’s application development and IT operations teams. The goal of DevOps is stronger alignment and cohesion between developers and systems administrators. And now, with security, DevSecOps. “DevOps was gaining momentum because dev organizations realized the need for efficiency and better operations of code when it runs in production,” King said. “They wanted to break down silos and therein was an opportunity for the security team to say, if we’re going to change our practices around how we develop and deploy code, then why don’t we also include security as part of those new practices?”
What does an AppSec pro do?
To boost security and protect data, AppSec engineers work in partnership with developers, IT and others to set security policies for applications and build proactive programs that address the entire software lifecycle — from development to end of life. They also measure program results and report on progress, often supporting an organization’s Chief Information Security Officer (CISO). Because software is never really finished — it’s almost always on a regular update schedule and deployments are continuous — it’s important for security to be both a development consideration and an ongoing priority. For the day-to-day tasks of AppSec pros, that often means the implementation of frequent vulnerability tests. There are four broad types of application security tests:
Dynamic application security test (DAST): Black box testing using a scanner Static application security test (SAST): White box testing of the source code Interactive application security test (IAST): Tests while the application is running Software composition analysis (SCA): Tests open-source code not written by the team
Testing is an important strategy for achieving the goal King outlines: the protection of any line of code that is used for a critical process or that will transact critical data.
What does it take to work in AppSec?
AppSec roles are available at every level, from beginner to more advanced for those that already have strong cyber experience and are looking to make a change. For anyone interested in AppSec, being able to demonstrate your technical skills is important. You might start with a few of these training options or certifications:
On-demand training like the OWASP Top 10, Offensive Bash Scripting, Python for Pentesters, Introduction to Vulnerability Management and secure coding Certification, such as the Infosec Institute Certified Mobile and Web Application Penetration Tester and (ISC)² Certified Secure Software Lifecycle Professional (CSSLP) Hands-on cyber ranges and projects covering secure coding, the secure software development lifecycle, application pentesting and more
For King, it’s also about how you do what you do, including hot topic areas like communication, collaboration, out-of-the-box thinking and how you handle challenges. “Show your growth mindset and have a willingness to learn,” she says. “There are so many opportunities in this sector.” To learn more about what it takes to work in AppSec, watch our Cyber Work Podcast, Building a billion-dollar cybersecurity company with Sam King.
Sources
Gartner forecasts worldwide security and risk management spending to exceed $150 billion in 2021, May 2021, Gartner Press Release What is DevOps?, TechTarget
