A career in application security (AppSec) can be rewarding, diverse, and challenging. However, as a relatively new domain within cybersecurity, it has not garnered widespread attention among professionals exploring careers in the field.
The need for AppSec professionals is increasing as attackers shift their focus from employing traditional malicious methods to targeting software and the software supply chain. However, the AppSec domain remains a largely unexplored opportunity that is often overshadowed by more established cybersecurity roles and specializations.
Sean Wright, head of AppSec at Featurespace, points to multiple reasons for the relative lack of interest in AppSec jobs. Chief among them is an overall lack of awareness of the role among cybersecurity professionals — and of what it entails day to day. Cybersecurity practitioners often also perceive the role as less interesting or less important than others, such as penetration testing, threat hunting, and threat intelligence.
There may also be a simple misconception that you have to be a developer to work in AppSec. Being a developer may be an advantage in some shops, but it should not hold you back. "While having application development experience can be a plus, it is not an absolute requirement for an application security job," Wright said.
Here are five reasons to consider — or maybe reconsider — a role in AppSec.
[ See Special Report: The State of Software Supply Chain Security (SSCS) 2024 | Download: State of SSCS ]
1. Supply chain attacks are increasing demand for AppSec pros
Spurred by software supply chain attacks and growing concerns about data breaches that are tied to software vulnerabilities, many business and IT leaders have created new AppSec roles within their organizations in recent years. DevOps teams are under intense pressure to integrate security earlier into the software development lifecycle (SDLC). At many organizations, they have begun working with AppSec engineers and security operations (SecOps) teams to ensure that apps are secure through the lifecycle, from design and development to deployment and maintenance.
For years, AppSec was not a defined role in many organizations, but over the past decade, that has changed, said Wright. That has created a growing demand for AppSec professionals in recent years.
"We don't have sufficient numbers of application specialists coming into the industry, yet the demand for these specialists is increasing. I've noticed a strong increase in the number of organizations now starting to build these roles."
—Sean Wright
2. The compensation is good for AppSec roles
There is an acute shortage of all cybersecurity professionals. A new global survey of about 1,000 cybersecurity professionals by Kaspersky found that the average organization requires more than six months to find a qualified security professional.
The gap between demand and supply in the AppSec realm is even worse, given the lack of traditional interest in the role. That means job seekers can expect to land a well-paid gig in the field. According to Glassdoor, total pay for AppSec engineers in the United States in February 2024 ranged from $129,000 to $191,000 annually, with a median of $136,732.
Organizations looking for new AppSec hires often require months to find the right candidate, and the competition can be fierce. Often, it's the organizations with deep pockets that are able to snag the good candidates. "Due to the limited supply, this is an ideal time for candidates," Wright said.
"This is a simple demand-and-supply issue. Something that has happened more recently is that candidates are being offered significant packages by companies that can afford to."
—Sean Wright
Just as with many other careers in security, the skills shortage affecting AppSec allows talented professionals to grow their careers substantially if they make the switch, said Eric Schwake, director of cybersecurity strategy at Salt Security.
"We are seeing these types of jobs in high demand from organizations, coinciding with strong potential salaries."
—Eric Schwake
3. AppSec jobs can be diverse and challenging
Despite perceptions to the contrary, a career in AppSec can be exciting and filled with opportunities to do interesting things. An AppSec engineer has responsibilities that include everything from performing security testing to conducting risk assessments, doing code reviews, implementing secure coding practices, and performing threat modeling exercises. Often, the role requires collaboration with DevOps teams and designers to manage and remediate vulnerabilities, develop exploits, and participate in red-team and penetration-testing exercises.
The diversity of work ensures that it remains intellectually stimulating and challenging, Wright said.
"You get your hands on many parts of technology as well as work on some of the more exciting aspects of security, such as penetration testing. If you like working on different things, this is an excellent role."
—Sean Wright
The diverse and collaborative nature of the work also means more career advancement opportunities, he said.
"Since you get exposed to so many different areas, you can then branch off or specialize in areas that particularly interest you."
—Sean Wright
4. AppSec pros play a critical role in cybersecurity
AppSec has become a huge concern for organizations today because of the explosive growth of apps throughout their ecosystem, and that growth is accelerating with the advent of generative AI, Schwake said.
"AI is a driving force in this and will allow developers an easier way to create more applications and APIs. This will introduce increased risk, which means AppSec jobs must grow to provide security for these organizations."
—Eric Schwake
AppSec jobs can offer practitioners an opportunity to be at the cutting edge of technology as companies digitally transform their businesses. A role in AppSec can also be a steppingstone to a career in the related and emerging field of API security. API security expertise is sorely lacking within organizations today, and professionals in the role have an opportunity to make a significant impact on their organizations, Schwake said.
"We see APIs — the lifeblood of application communication — as a big blind spot for organizations. APIs have become more critical to secure than ever, so if you as an AppSec professional can focus on that, you can help position yourself as different from those who are more broadly focused."
—Eric Schwake
5. Abundant training and support are available to aspiring AppSec pros
While development skills can be an asset in AppSec, they aren't essential to start in the role, Wright said. In fact, he added, the amount of free training and material that is readily available is astonishing.
"There are also several communities such as local OWASP chapters that also will have many who would be more than willing to help [others] enter the field. So my advice to those who do want to get into the field is take advantage of the training material out there and engage with the community. Many will go out of their way to help others get into the field."
—Sean Wright
Shift your thinking to match the shifting security landscape
John Bambenek, president at Bambenek Consulting and a seasoned threat hunter, said that while AppSec demands some experience with software engineering, what's more important is the right attitude. The role is well suited for security professionals who derive job satisfaction from making users and the software they use safer, he said.
"The core of the problem is that in cybersecurity, offensive work is sexy, where most other roles are not as attractive. We watch movies with shootouts; we don’t watch movies where the hero makes body armor. There are bug-bounty programs; I have yet to see a patch-bounty program."
—John Bambenek
For individuals who care little about these distinctions, AppSec can be a rewarding career because of its focus on securing the software that people use at work and leisure.
"AppSec professionals are the ones who are keeping society safe, so if you are looking for meaning in your work, this can translate very easily to finding it."
—John Bambenek
