Jan 21, 2024 3 min read

A Career in AppSec

One of the very first things that I ask someone when they want to get started in cybersecurity is which area, they want to get involved in. And the answer is almost always; "hacking things" (a.k.a. penetration testing), threat intelligence, or red teaming. The glamorous roles of cybersecurity. Now don't get me wrong, these roles are incredibly important, however they are only a part of the puzzle. If we had to have everyone performing the roles, we would end up with the ability to find lots of holes and that's about it.

I think that one of the troubles is that many don't realise how diverse cybersecurity is. You have roles from the physical aspect all the way to the glamorous roles to the roles that aren't technical at all (e.g. compliance type roles). There are just so many roles to choose from. And one of those roles is Application Security!

One thing that I find interesting, is how few people are entering the field. So why should people be interested in role in this field? Well here a few!

Job Security

It comes down to simply supply vs demand. The demand for application security professionals keeps growing, yet there are too few entering the field. Think about it, many organisations have some form of development. As a result, they will need to start focusing on the security of the software that is produced by their development teams. Clients are, finally, starting to pay far more attention to the security of the software and services that they pay for. More regulations are coming in, forcing the hand of security in products and services that companies provide (for example the EU’s Cyber Resilience Act). So, demand for application security professionals is likely only going to increase!

Salaries

This goes in tandem with the above point. With a shortage of supply, organisations are competing with one another to get suitable candidates. And that means having to pay more. Some of the salaries I’ve seen are astounding. Candidates with only a few years' experience demanding a 6-figure salary (in the UK) is becoming the norm now!

Tech

This is will largely depend on the organisation that you work for, but for almost all, you will find yourself working with the latest technologies. This is both daunting at times, but really exciting as well.

Hacking is Involved

Let me let you in on a little secret. AppSec employees get to do plenty of pen tests! And the best part? For most of the time, very limited documentation! You would likely only need to submit the appropriate bug tracking ticket (e.g. Jira) for your findings. No report that must go through QA (there are times where this is needed, but it certainly is not common). The other benefit is that you can often get to the code for the systems that you are testing, making for even more interesting tests!

Many Roles

One of my personal favourites is the different roles that you cover. I get bored easily, so having the change is something that I love about the role. Now this is not for everyone, but if you love role where no 2 days are the same, this is for you! The other benefit is that you get exposure to different areas of cybersecurity. This can help from a career perspective, should you with to switch to another role later in your career.

So yes, AppSec may not be one for those “glamorous” or “rockstar” type roles that you often see on the TV, but it is a vital role. One that is likely to become increasingly important to organisation. It’s also a remarkably interesting role, with many exciting parts to it. Finally, from a career perspective, it pays well, and you have wonderful job security (unless you trying to hire someone, then you will get many grey hairs!). I really hope to see more folk to jump in and join the slowly growing number of us!

A last point to make, while coding or development experience will be helpful, it is not an absolute must. Far more important is the passion and desire. You can always pick up the skills along the way!

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.