How to become an application security engineer

by Jennifer Zaino

The jobs and recruiting site Glassdoor puts the national average salary for an application security engineer at $98,040. That’s higher than what a tech pro could earn on average as an IT security analyst ($67,056, per Glassdoor), network engineer ($73,165), or developer ($75,441). In certain markets, the payoff for moving into an application security engineer career can rise even higher—in San Francisco, the average salary is $135,916.

You may have been thinking about how you can break into this hot area. Who wouldn’t find it exciting to hunt down application vulnerabilities before the bad guys do or gratifying to add value to a business by securing the software development lifecycle? What you’ve got to figure out is how to most efficiently position yourself to move into such a role from your current security or other IT job.

It’s not easy. Generally, employers can’t afford to have people learn application security engineering skills on the job, says Sherif Koussa, founder of Software Secured. So you’ll likely be putting in a lot of your own time and perhaps money into building up expertise to prove you can be up and running in such a job on day one. The industry also isn’t mature enough for employers to always know what these jobs should require, he adds, which could leave aspirants puzzled about what they really need to do to qualify.

However, there are smart steps you can take to get your foot in the door—hopefully sooner rather than later. Top application security engineers share their advice.

Take on real-world problems

Gaining real-world experience is a must. Koussa and Rohit Sethi, chief operating officer of the app security training, consulting, and technology company Security Compass, recommend participating in efforts such as the bug bounties sponsored by Google, Amazon, and Facebook, where you can get paid for discovering vulnerabilities. 

“If you found these bugs for Google or Amazon, it will show them you must know a thing or two.” —Sherif Koussa

Google’s Vulnerability Rewards program, for instance, paid $3 million to security researchers last year. Of course, as Sethi points out, it’s less about the money and more about getting credit from potential hiring managers for being actively involved —if not technically employed—in the area.

You also can be proactive about maturing your application security engineering skills by taking part in open-source communities such as the Open Web Application Security Project (OWASP). Its various endeavors include the OWASP Top Ten list of the most critical web application security risks. “You can point to your contributions of how you have helped progress something,” Sethi says.

There are plenty of additional OWASP and other open-source projects that haven’t received the same attention as the Top Ten and that don’t have enough people to help with things such as requirements analysis for secure software design and secure code reviews, he says, so there’s plenty of opportunity to build experience.

Follow the academic track

There’s cause to pursue certifications, as well. “Training that ideally has some sort of market-acknowledged certification or credibility will help demonstrate you’ve attained a level of proficiency and can speak volumes of your commitment to the craft,” says John Reed, senior executive director at specialized staffing firm Robert Half Technology.   

But don’t get carried away. Most employers aren't big on certifications in the application security engineering space yet, says Sethi. “However, any relevant SANS certification or ISC2 program will certainly help raise your profile,” he says. He recommends the GIAC Web Application Defender (GWEB) certification, the GIAC Secure Software Programmers certification (GSSP), the Certified Secure Software Lifecycle Professional (CSSLP), and the Secure Software Practitioner (SSP) suites.

Taking advantage of online courses on the topic can help set you on the right path in the face of a sea of overwhelming information, Koussa says. But be prepared to show an employer that your motivation for studying goes beyond being able to put a checkmark in the curriculum column.

““A course isn’t going to tell me everything you’ll be able to do next. The main thing about application security is that you are proactive, inquisitive, and willing to learn, always.” —Sherif Koussa

Challenge yourself with games and exercises

Your course or certification accomplishments will look better, for instance, if they’re paired with examples of how you put your learning to use on your own initiative, says Koussa. He’s more likely to be impressed by a candidate who told him she took a course in software security if she also tells him she complemented her learning by participating in a capture-the-flag web app security competition where she sussed out the flow of vulnerabilities. 

Think outside the box when it comes to challenges that could be applicable to application security engineering, too. Natalya Krecker, senior software security engineer at legal software vendor kCura, recommends the CryptoPals Crypto challenge, which mostly takes the form of practical attacks against common vulnerabilities in web apps.

Software engineers don’t have to deal with cryptography during their day-to-day work, so it may not be on the top of their mind, she says. But beyond just helping to create a practical understanding of cryptography in software, the eight sets of exercises to solve in the CryptoPals Crypto challenge also help teach how to identify, exploit, and then avoid some cryptographic weaknesses, Krecker says.

Grow within your current role

You also should consider how you can put your current job to work for you to improve your chances of changing career course.

Krecker did. She knows it’s important to be great at the job you already have if you’re planning to make the transition to a new career in the same organization. “Focus on consistently meeting and even exceeding the expectations of your colleagues and customers,” she says. “While serving as the lead software engineer in test, I committed to deliver continuous results that have become a solid foundation for trust within the organization and allowed me to change careers and pick up on a new learning opportunity.”

Sethi says that in most companies, application security teams are looking to find champions for their cause among individual IT teams. So ask if you can become their ambassador in your team, he says. Reed suggests volunteering to do extra work for the application security group itself, because there’s always more work than people: Be willing to invest your personal time—come in early, stay late—to pitch in. Show that you’ve been building some skills on your own. “This can be an opportunity to get exposure,” he says.

If taking on such roles doesn’t lead to a full-time job in the application security group at your current business, it’s still an asset you can list on your résumé to send to other employers.

There are other tweaks you can make to strengthen your fitness for an application security engineer role, too. Sethi says to work on writing and presentation skills; you’ve got to be able to communicate the results of security testing to others and explain why what you found is important, how to replicate it, and how to fix it.

Koussa recommends developing enough expertise to give a presentation about a topic such as secure coding to co-workers or others to showcase your proactivity. “[That] is what employers want to see in security application engineers,” he says.

Reed suggests attending related user group sessions and other tech events, both to immerse yourself in the topic and to build networking contacts who may be able to help you along your journey.

Commit to continuous learning and never be afraid of asking for help, urges Krecker.

"Be humble and stay hungry.”
—Natalya Krecker

Additional resources

Here are some resources to start you on your path to becoming a application security engineer: