One of the very first things that I ask someone when they want to get started in cybersecurity is which area, they want to get involved in. And the answer is almost always; "hacking things" (a.k.a. penetration testing), threat intelligence, or red teaming. The glamorous roles of cybersecurity. Now don't get me wrong, these roles are incredibly important, however they are only a part of the puzzle. If we had to have everyone performing the roles, we would end up with the ability to find lots of holes and that's about it.
I think that one of the troubles is that many don't realise how diverse cybersecurity is. You have roles from the physical aspect all the way to the glamorous roles to the roles that aren't technical at all (e.g. compliance type roles). There are just so many roles to choose from. And one of those roles is Application Security!
One thing that I find interesting, is how few people are entering the field. So why should people be interested in role in this field? Well here a few!
It comes down to simply supply vs demand. The demand for application security professionals keeps growing, yet there are too few entering the field. Think about it, many organisations have some form of development. As a result, they will need to start focusing on the security of the software that is produced by their development teams. Clients are, finally, starting to pay far more attention to the security of the software and services that they pay for. More regulations are coming in, forcing the hand of security in products and services that companies provide (for example the EU’s Cyber Resilience Act). So, demand for application security professionals is likely only going to increase!
This goes in tandem with the above point. With a shortage of supply, organisations are competing with one another to get suitable candidates. And that means having to pay more. Some of the salaries I’ve seen are astounding. Candidates with only a few years' experience demanding a 6-figure salary (in the UK) is becoming the norm now!
This is will largely depend on the organisation that you work for, but for almost all, you will find yourself working with the latest technologies. This is both daunting at times, but really exciting as well.
Hacking is Involved
Let me let you in on a little secret. AppSec employees get to do plenty of pen tests! And the best part? For most of the time, very limited documentation! You would likely only need to submit the appropriate bug tracking ticket (e.g. Jira) for your findings. No report that must go through QA (there are times where this is needed, but it certainly is not common). The other benefit is that you can often get to the code for the systems that you are testing, making for even more interesting tests!
One of my personal favourites is the different roles that you cover. I get bored easily, so having the change is something that I love about the role. Now this is not for everyone, but if you love role where no 2 days are the same, this is for you! The other benefit is that you get exposure to different areas of cybersecurity. This can help from a career perspective, should you with to switch to another role later in your career.
So yes, AppSec may not be one for those “glamorous” or “rockstar” type roles that you often see on the TV, but it is a vital role. One that is likely to become increasingly important to organisation. It’s also a remarkably interesting role, with many exciting parts to it. Finally, from a career perspective, it pays well, and you have wonderful job security (unless you trying to hire someone, then you will get many grey hairs!). I really hope to see more folk to jump in and join the slowly growing number of us!
A last point to make, while coding or development experience will be helpful, it is not an absolute must. Far more important is the passion and desire. You can always pick up the skills along the way!