When you look at an online web app form field that asks for your credit card number, do you think:
a) I’d better enter the 16 digit number on the front of one of my plastic credit cards.
b) Credit card number? Where’s the PayPal button?
c) I wonder what would happen if I put ‘OR 1=1; in that field?
If you answered c, then maybe you should consider a career in application security.
The unemployment rate for information security professionals is ridiculously low, and application security professionals in particular are in very high demand. They’re only slightly easier to find than leprechauns or unicorns.
With our increasing reliance on web and mobile applications for everything from staying in touch with friends to supporting disaster relief efforts to enabling the global economy, the need for application security professionals is absolutely critical. Application security requirements must be documented at the beginning of every application development project. Source code security reviews must occur before an app goes to QA, where testing must include both positive and negative tests. Once apps are made available for public consumption, we need a combination of automated scans and manual analysis, all for the sake of finding and fixing security flaws before someone else finds (and exploits) those flaws.
So how does one go about starting a career in as an application security professional?
Start by training yourself. The Open Web Application Security Project (OWASP) is an AMAZING resource for self-training. The OWASP Top Ten Projects (both Web and Mobile) can provide you with foundational knowledge of the most significant types of application security flaws. Once you have a fundamental understanding of these flaws, you can dive into the OWASP Testing Guide for details on how to detect and address those (and other) flaws in a vulnerable web application.
If you prefer hands-on experience, then you can download and explore deliberately vulnerable web applications like WebGoat, NOWASP (Mutillidae II), and Bricks. Once you stand up these apps in your lab environment, you can experiment with some of the tools that app sec professionals use, tools like Mantra, Zed Attack Proxy (ZAP), and Burp. If you’re fortunate enough to have an app sec budget, you might even be able to get screen time with commercial web app tools from vendors like Veracode.
What about certifications? Certs are great for getting you past HR screeners so you can speak with a hiring manager, but the better hiring managers are more interested in what you know than whether or not you can pass a test. That said, SANS has courses in the app sec space that can help you tie book knowledge to practical knowledge, courses than can prepare you to be a certified GIAC Web Application Penetration Tester (GWAPT). If pen testing isn’t your thing, then you might want to explore the (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) cert instead. If you’d rather focus specifically on mobile app security, check out the Mobile App Security+ cert from CompTIA.
Finally, it’s critical that get out from behind your laptop and network with other app sec and infosec pros. ISSA and ISACA have chapters in dozens (hundreds?) of cities. Attend these meetings, introduce yourself, and let folks know that you’re actively pursuing a career in application security. If you’re fortunate enough to live in a city with an OWASP chapter, go to these meetings and talk to other app sec pros. And you should DEFINITELY attend local, regional, and national information security conferences. Most should have a track dedicated to application security.
Finally, if you want to take a big step forward in your app sec career, you need to give back. Offer to speak on app sec at a local infosec group chapter meeting. Respond to a CFP at a local or regional conference. Volunteer some time to contribute to an OWASP project. Do you research and share what you’ve learned. This knowledge sharing is CRITICAL to community, and there’s no better way to demonstrate that you understand a topic than teaching it to someone else.
There are so many communities for developers out there that you can learn just about anything you want if you just start asking questions! Sometimes the best way to learn is to just get your hands dirty.