Jeff Williams became an application security engineer in the late 1990s, before it was a common job title.
“General Electric came to my company and said, ‘We like your data centers, but we need every line of code reviewed for security before it goes on the internet,’” he recalled. “The sales team quickly said, ‘Sure!’ Everyone else took a quick step backwards and I got the job of figuring out how to deliver.”
That meant learning how to do penetration testing, security code reviews, secure coding training, application security architecture, and threat modeling, he said.
Since then, Williams, who is now the CTO and cofounder at Palo Alto, Calif.-based application security vendor Contrast Security, has hired hundreds of application security engineers.
He said that he looks for people with strong computer science skills, who are fluent in multiple programming styles and languages.
“But that’s not enough,” he added. “I always looked for people — like myself — who loved programming, but didn’t necessarily want to spend their life coding other people’s ideas. I look for people who work on open source projects, write their own tools, and code every day — those people that are excited and passionate about code. So, it’s a lot more about real-world experience than book learning.”
Many large companies, particularly in the financial services industry, have application security teams, he said.
“You can also work at a consulting company, where you will get experience with a lot of different technologies and many different types of businesses,” he said. “If you’re up for some really hard work it can be a tremendously rewarding experience. There’s just no other way to get the breadth of experience you can get this way, and you’ll work with the best in the business.
Application security vendors are also hiring, he added.
“You can get a job building an application security product,” he said. “You might be a product developer, security researcher, product marketer, sales engineer, or solutions architect.”
These jobs are often in security startups, he added. That can be exciting, he said, but can also be volatile place to build a career.
For those starting out, Anthony Bettini, senior director of software engineering at Columbia, Md.-based Tenable Network Security, recommends NYU Polytechnic School of Engineering, Berkeley, Carnegie Mellon and Purdue as having good programs in this field.
“Cybersecurity education at the university level is a lot better now than it was, say, ten years ago,” he said.
The annual Black Hat conference also has a lot of content related to application security, he added. “Their historic talks are archived, and there are a lot of white papers online.”
People looking to move over from application engineering can also get certifications and attend training programs, he said, though they most often focus on operational security rather than application security.
As with other security fields, there is a wage premium. The national median salary for an application security engineer is $98,040, according to Glassdoor, while the salary for an application engineer is $82,467.
Plus, it’s another growing area, said Bettini.
“It’s no longer just technology companies developing software,” he said. “All of the Fortune 500 have become software companies, and are facing increasing cybersecurity risks, so it’s causing them to hire more application security engineers.”
That, and the demand from the vendor side, is driving wages up, he said.
It’s the area of cybersecurity that’s had the least investment so far, and is the most immature, said Kennet Westby, chief security strategist at Denver-based Coalfire Systems, Inc. “It’s an area where we’re seeing huge demand.”
Most of the application security engineers he’s hired come from an application development background, he said.