Best Path to Become an Application Security Engineer

Simply put, application security engineers help secure software applications that are developed and offered by organization as software services for internal employees or for the customers. This involves security considerations at all stages of the software development life cycle, including design, secure coding and development, testing, and deployment stages. There are many ways to find security vulnerabilities in applications. These range from static code analysis (which scans the source code and libraries), dynamic code analysis (which scans code as it executes), or penetration testing (uses tools to look for application weaknesses). However, beyond the methodologies and tools, it is important to have a culture of security and develop an attacker’s mind-set.

The first titled security engineer, Jeff Williams, has traveled his own path to become an application security engineer. When General Electric, in the late 1990s, proposed an application development task, they also asked him to verify and review the code for security flaws before hosting them on the internet. Even though the sales team accepted the proposal, it was Jeff Williams and the technical team that faced the challenge of learning how to review and create secure codes, application security architecture, threat modeling, and much more. Since this project, Williams has hired hundreds of application security engineers and is now the CTO and cofounder of Palo Alto, a California-based application security vendor.

Williams faced many tough times on his journey to become a security engineer due to lack of professional training. However, as the importance of application security slowly gains prominence, we have ample opportunities to learn and become an application security engineer. If you are thinking to break in this security segment, then first things first, it is important to figure out how you can shift into this role from your current job role. However, you need to first understand the job role of an application security engineer.

In order to become an application security engineer who can exploit applications to find vulnerabilities and secure them, it is important to have the basics down. Following are few things to get started with.

Step: 1 Begin with Your Education

Along with the quality of education, the value of the credential and where you are getting certified also matters. Taking advantage of online courses will help you on your way but be prepared to continue to learn throughout your career track as application security is an ever-growing subject.

You should be able to understand and write web applications using front-end languages, such as HTML, Java, JavaScript, PHP, or .NET, and have the ability to understand an application by glancing at the code.

EC-Council is the world’s leading cybersecurity credentialing body operating in 145 countries and is the owner of many cybersecurity courses, including Certified Application Security Engineer (C|ASE). C|ASE is a credentialing program which gives you a holistic overview of application security. C|ASE program prepares the software professionals with the necessary skills that employers look out from the candidates globally.

Step: 2 Match the Prerequisites

The job of an application security engineer is technical in nature, along with managerial skills; hence, the candidate, before pursuing an app security program, should have a strong technical background. Other required managerial and leadership skills can be developed over the job.

C|ASE supports two programming skills—Java and .NET. A candidate with a minimum of 2 years of experience in either of these programming languages can pursue C|ASE.

Programming languages have attracted many developers over the years due to its open-source nature, language independence, interoperability, and ease of deployment. However, training and practice often do not emphasize on security concerns, C|ASE fills the gap.

Step: 3 Practice for Perfection

“In the U.S., experience is more than a degree.”—Forbes [1]

Security is not about learning, it is mostly about implementing. Being new to application security, you may not have the required experience but as a developer, you can always make use of your current position. Start implementing the knowledge and skills that you have learned through this program in your current job. This gives you a real-time learning opportunity.

Start implementing the knowledge and skills that you have learned through this program in your current job. This gives you a real-time learning opportunity. Simultaneously, spend quality time on practicing the subject.

EC-Council’s exhaustive range of labs gives you practical exposure to real-life challenges. The students of EC-Council also benefit the privilege of accessing iLabs which is a virtual real-time platform. C|ASE comes aligned with labs that give students a robust experience of working on different application security projects.

Step: 4 Get Credentialed

When confident of your skills and knowledge that you have gained throughout the course of study, it is time for you to attain the credential. Learning and completing the course do not qualify that you are a competent application security engineer unless you appear for the exam and earn the credential.

C|ASE has an online examination with a duration of 2 h, with 50 questions. In order to attain this credential, the candidate must score 70% or above. As C|ASE supports .NET and Java, the exam format will be different for both developers.

The C|ASE credential has been developed in partnership with application and software development experts globally. It assures that you have gained the required professional knowledge and skills that are often considered by employers worldwide.

Step: 5 Design Your Own Secure Application

It is now time to shift gears and get your hands dirty with some coding. Grab a friend to make it a pair programming exercise; this will bring different viewpoints and coding patterns to the table.

Pick a popular use case (to-do list, calendar, etc.) and try to design a web application for it. While developing the application, make sure you use popular libraries or boilerplate code (if they have security anti-patterns even better!). This step will help understand common anti-patterns and language-specific pitfalls. In addition to the client-side code (HTML, JS), you will need some server-side code and a database. You can run these locally or spin up an instance on the cloud. Now that the application is up and running, try to break the application, find and exploit the vulnerabilities in it. You might find vulnerabilities introduced by you or the libraries/template you used.

Given that the application is now broken, time to fix it! Categorize the vulnerabilities into buckets—design and implementation, based on when they could have been identified and fixed. Try to address these issues without forgoing functionality or usability. Understanding how to fix issues will help you become better at spotting flaws or bypassing fixes. This can be done by using black-box or white-box approach.

Now is the time for you to move forward and embrace the challenging role of an application security engineer. Remember, the right credential can help open the door to a large range of opportunities. For more details on C|ASE, visit https://www.eccouncil.org/programs/certified-application-security-engineer-case/



Editor's Note:
Reviewed by Akashdeep Bhardwaj, Head of Cyber Security Operations (India) at British Telecom Security and Miguel Halling, President, Information Security Department, Incident Management, DLP Operations at BNY Mellon
get certified from ec-council
Write for Us