What is Application Security?
Application security, which is currently one of the hottest topics in the security field, pertains to ensuring the security of an application throughout its development lifecycle. This specialized topic has been around for ages in different variations, mostly as secure developers who rigorously test applications while under development. They ensure that the application is written with secure code practices in mind, then tested and deployed with hardened security measures.
Application security is mostly the culmination of 3 topics, in addition to general security knowledge: offensive testing, secure development, and DevOps practices. An application security engineer can work on various tasks ranging from penetration testing, reviewing code, adding security requirements, to assessing the maturity level of the development teams (which can contain product owners, developers, QA, DevOps engineers, etc.).
Beyond the Firewalls
Applications have grown massively beyond firewalls and network protection measures due to an outburst of recent security bugs. This has added more risk to the applications, which forced the security community to start tackling the issues from the source.
It became crucial for security officers to ensure that security practices are applied across the whole development lifecycle, from the birth of the application to its deployment. Firewalls can still be deployed as an additional security measure, but are no longer the main security player. The application is now the main stakeholder of its own security.
This allowed companies to save their applications from defacement, breaches, logic abuse, and countless other attacks, at a nominal cost.
Who Are the AppSec Engineers?
Application security engineers can have different skill sets and areas of expertise. The most prominent are:
- Engineers with an offensive mentality who enjoy breaking things and proactively fixing them; these are mostly penetration testers, looking for vulnerabilities in any given system or software. Sometimes these are QAs who take an interest in security testing. These engineers have an extensive arsenal in tooling and techniques to break things and are creative in the way they conduct their assessments. Most of the time, these engineers use specific application testing programs and are part of the automated Vulnerability Management Programs.
- Engineers with a developer’s background who love to build and make things happen. They are the best at communicating with other developers, and they know exactly what to recommend when a security vulnerability appears. They will mostly live with the developers, help them out, and write the code fixes themselves if necessary.
- Engineers with a DevOps background who love to automate every task at hand and ensure that processes are in place to cover all aspects of code integration, a build deployment, or any process related to the lifecycle of an application. They flourish in adding a security baseline to every project, to every process, where anything going off from that baseline fails and is not released out to the public.
That doesn’t mean that application security only pertains to these backgrounds. Some people start from scratch and keep accumulating knowledge as they go, and others shift from other specializations.
Some engineers love to focus on educational and awareness topics and are extremely innovative in how they do it. Others love to assess the maturity of the secure development lifecycle and enjoy creating gap assessments as well as analyzing risks and priorities.
It could require some development knowledge, but it doesn’t mean that the engineer needs to be an expert. It means that they have to know enough development in order to deliver their security knowledge to the rest of the team and keep up with their discussions.
An engineer can grow in various ways. This role will allow them to handle incidents, secure applications, and networks (offensively and defensively), own products as a security engineer, provide reports and maturity progress, and provide secure code best practices. These push the engineer to move up the ladder to a CISO, a technology lead or build and own security tools.
The AppSec Tooling State
Tools on their own provide very minimal value. They need to be appropriately configured, with the correct follow-up action, and the false-positive filtering required to identify and ignore unnecessary issues.
In the current state of tooling, the tools are mainly integrated within the development, testing, and deployment stages. They help create a uniform flow for the code to go through those stages, which ensures that the code is following a baseline security level. Additionally, certain tools come in the form of libraries, where they are injected into the code, such as OWASP Enterprise Security API (ESAPI).
The requirements and modeling stages proved to be the hardest to automate when looking into the software development life cycle. Some tools have appeared to automate these stages, yet it’s still essential that humans are involved as these tools are prone to generating false positives. These two requirements and modeling stages are regularly done manually and provide enough positive returns for them to be implemented as such, despite the high-pace deployments.
Adding security requirements to the features and properly modeling specific architecture issues allow the developers to build software from scratch in a secure fashion, instead of patching and creating workarounds after the code is finalized.
Other tools, which don’t relate specifically to security, are channels agreed upon to communicate and share the tasks at hand, and how to prioritize them. Almost all Agile companies implement these tools.
AppSec’s Needs and Disappointments
AppSec is a wonderful field to get into, but it is important to understand that it is not all rainbows and butterflies. This field makes the engineer get into a lot of power plays to convince stakeholders to make security a business need, instead of being roadblocked.
There are so many aspects to tackle in this field, that it makes an appsec engineer’s life strenuous and demanding. In most of the cases, these engineers are part of small teams, whereas the development teams are in the hundreds, or even in the thousands, so making appsec an integral part of the development lifecycle becomes almost an impossible task.
This is not to say that appsec is non-achievable, it’s mainly to say that appsec is still blooming and growing. It’s imperative for companies to prioritize appsec since the engineers provide the value needed to make a company succeed.
How to Get Into AppSec
As with any long-term profession, it is essential to understand what attracts you to the line of work. To understand what to expect from this field, watch talks, listen to podcasts, read articles by well-renowned people, follow experts on social media, or simply read documentations and look at how certain tools work.
OWASP is one of the best places to get your hands dirty, whether by reading and writing documentation, or working on tooling and standards.
One crucial aspect of application security is empathy. To properly move security forward in an organization, one must understand how a business owner, a manager, a developer, or a DevOps engineer feels toward a particular security requirement or issue, and how to make it happen.
You can take the first step with the University of Miami Cybersecurity Bootcamp. With live, hands-on classes taught by experts in the field, you’ll get the training you need to catapult your career into cybersecurity. Schedule a free consultation with our Admissions Advisors today.