JOB PROFILE
APPLICATION SECURITY ADMINISTRATORDevelop, implement, and main-
tain comprehensive application
testing that is in-depth and up-to-
date. Integrate automated static and
runtime testing and reporting into the
SDLC for new applications as well as
those undergoing change.
Determine metrics to be collected
for monitoring application security.
Automate collection and reporting of
metrics on a regular basis, and period-
ic reporting of application scanning.
Monitor, update, and maintain
scanning tools and processes.
Guide developers on scanning,
analysis, reporting, and remediation.
Participate in incident response.
Work with developers to identify, ana-
lyze, and solve security problems.
Write and maintain reports of all
security incidents and remediation
measures.
Enhance security awareness and
ensure the development team is up to
date with hacking techniques.
Create and conduct hackathons to
enable developers to practice hacking.
Encourage developers to under-
stand the OWASP Top 10 Most Crit-
ical Web Application Security Risks
and the OWASP Top Ten Proactive
Controls.
Develop, update, and implement
application security training programs
for new recruits as well as experienced
members of the development team.
Keep track of current application-spe-
cific certifications and annual certifica-
tion requirements.
Changes in technologyIt’s important to keep yourself
informed about advances in web and
mobile application technology and
developments in application security.
A good application security engineer
needs to keep pace with changes in or-
der to be able to protect the company’s
applications and data.
You need to also stay informed
of changes in security technology
tools, as well as changes in approach.
According to Jay Kelath, Director
of Product Security for Dow Jones,
Interactive Application Security Test-
ing (IAST) and Dynamic Application
Security Testing (DAST) are the new
technologies to watch.
Kelath also refers to the solu-
tions-based approach to application
security. Instead of discovering
vulnerabilities in applications and
resolving them, some application se-
curity teams are focusing on develop-
ing common solutions that developers
can use.Training and employment
backgroundA bachelor’s degree in computer
science or a related subject is common-
ly included as an educational require-
ment in job listings for application
security engineers, though some pro-
spective employers prefer a master’s
degree. You can also consider degrees
in cybersecurity. Quite a few leadinguniversities today, including Carnegie
Mellon and the NYU School of Engi-
neering, offer cybersecurity courses.
Though online courses are not a
substitute for a university degree, a
good MOOC can help you get start-
ed on learning about cybersecurity.
MOOC providers like Udacity, Cour-
sera, and Cybrary offer courses on a
variety of cybersecurity subjects, and
many universities and tech companies
offer similar online learning environ-
ments.
Solid real-world experience in
application security or development
carries a lot of weight and can some-
times result in an individual’s being
hired even if he (or she) doesn’t have
a relevant degree. Companies wanting
to hire application security engineers
typically look for at least two-to-three
years in development of software
products or services.
Application security engineering
is still a relatively new field, and
many companies lack the wherewith-
al for employees to learn on the job.
An experienced application security
engineer who knows what it takes to
provide reliable application security
can hit the ground running from day
one.Amazon, Face-
book, and Google
sponsor bug-discov-
ery programs that
pay people to detect
vulnerabilities. It’s not
the money that’s im-
portant and valuable
here, so much as the
proof of applicable
expertise.