JOB PROFILE
APPLICATION SECURITY ADMINISTRATORLearn by doing
There are a number of ways to gain
hands-on experience. Most Fortune
500 and other large companies are
now hiring application security engi-
neers. A stint as a member of an appli-
cation security or development group
at one of these enterprises can teach
you how to actually secure a product
or service.
A job at an application security
software firm in product develop-
ment or security can also help you
gain valuable experience. Consulting
companies offer aspiring application
security engineers the opportunity to
work with a wide range of businesses
and technologies, thereby enabling
them to develop extensive knowledge
and skills.
It’s up to you to gain relevant expe-
rience. Whether one is employed as an
application security engineer or yet to
secure employment in the area, partic-
ipating in various security programs
organized by open source commu-
nities is another effective means of
building skills and getting exposure.
When recruiters see that you have suc-
ceeded in discovering bugs on some
of these open source projects, they
understand that you have expertise
that they could use.
Amazon, Facebook, and Google
sponsor bug-discovery programs that
pay people to detect vulnerabilities.
It’s not the money that’s important
and valuable here, so much as the
proof of applicable expertise. Recruit-
ers want to see what candidates have
actually implemented. Other open
source projects include the Open Web
Application Security Project (OWASP).
If you are already working in IT,
then volunteering to assist the ap-
plication security team in your com-
pany can help you build application
security skills in your spare time and
demonstrate your interest and com-
mitment to your employer. It might
help you get a transfer to the applica-
tion security department, and even if
it doesn’t, it’s a great way to gain ex-
posure and learn, as well as a valuable
addition to your resume.
You should also consider working
on your communication skills. The
ability to write coherently or deliver
a presentation — on the importance
of writing secure code and how to go
about it, or on resolving vulnerabili-
ties, or on testing results — is a skill
that employers often look for when
hiring application security engineers.CertificationsThough certifications aren’t key
criteria for companies looking to hire
application security engineers, rele-
vant credentials demonstrate that you
have invested in learning. Applicable
certifications from the SANS Institute
(GIAC), (ISC)², and ISACA are often
requested by some employers, in addi-
tion to other qualifications.
Certified Secure Software Lifecy-
cle Professional (CSSLP) is a global-
ly-recognized certification from (ISC)².
This credential validates advanced
technical expertise in application
security.
To earn the CSSLP, you need to
have at least 4 years of cumulative
professional experience as a software
development professional in one or
more of the 8 domains of the (ISC)²
CSSLP Common Body of Knowledge
(CBK) and pass the CSSLP exam, com-
plete the online endorsement process,
and formally commit to support the
(ISC)² Code of Ethics. Details are avail-
able online.
The GIAC Web Application Test-
ing (GWAPT) credential demonstrates
knowledge of web application exploits
and penetration testing methods. To
earn the GWAPT, you need to pass
one 2-hour, 75-question proctored
exam with a score of at least 71 per-
cent. Details are available online.
The Certified Ethical Hacker (CEH)
is a vendor-neutral certification from
industry association EC-Council. This
credential demonstrates applicable
knowledge of ethical hacking and is
a useful acknowledgment of various
skills that are needed for secure appli-
cation development.To earn the CEH (ANSI) credential,
you need to either complete EC-Coun-
cil’s official training or have proof of at
least two years of professional experi-
ence in information security, and pass
the EC-Council CEH exam. To earn
the CEH (Practical) certification, you
need to purchase the exam dashboard
code and pass the CEH (Practical)
exam. Details are available online.
Other applicable certifications
include CompTIA Security+, Certified
Application Security Engineer (CASE),
and Offensive Security Certified
Professional (OSCP). OSCP is also a
suitable credential for those aspiring
to become penetration testers.Outlook goodAs cybersecurity becomes ever
more challenging for businesses, the
demand for application security en-
gineers is expected to rise. By gaining
relevant experience and qualifications
and focusing on improving the securi-
ty of internal and external applications
without affecting availability and
performance, you can build a reward-
ing career as an application security
engineer. Be curious and proactive,
and keep learning and implementing.