Application security engineers earn more money than application engineers and are in high demand, but the job requires additional training in security. Jeff Williams became an application security engineer in the late 1990s, before it was a common job title.“General Electric came to my company and said, ‘We like your data centers, but we need every line of code reviewed for security before it goes on the internet,'” he recalled. “The sales team quickly said, ‘Sure!’ Everyone else took a quick step backwards and I got the job of figuring out how to deliver.”That meant learning how to do penetration testing, security code reviews, secure coding training, application security architecture, and threat modeling, he said. Since then, Williams, who is now the CTO and cofounder at Palo Alto, Calif.-based application security vendor Contrast Security, has hired hundreds of application security engineers. He said that he looks for people with strong computer science skills, who are fluent in multiple programming styles and languages.“But that’s not enough,” he added. “I always looked for people — like myself — who loved programming, but didn’t necessarily want to spend their life coding other people’s ideas. I look for people who work on open source projects, write their own tools, and code every day — those people that are excited and passionate about code. So, it’s a lot more about real-world experience than book learning.” Many large companies, particularly in the financial services industry, have application security teams, he said.“You can also work at a consulting company, where you will get experience with a lot of different technologies and many different types of businesses,” he said. “If you’re up for some really hard work it can be a tremendously rewarding experience. There’s just no other way to get the breadth of experience you can get this way, and you’ll work with the best in the business. Application security vendors are also hiring, he added. “You can get a job building an application security product,” he said. “You might be a product developer, security researcher, product marketer, sales engineer, or solutions architect.”These jobs are often in security startups, he added. That can be exciting, he said, but can also be volatile place to build a career.For those starting out, Anthony Bettini, senior director of software engineering at Columbia, Md.-based Tenable Network Security, recommends NYU Polytechnic School of Engineering, Berkeley, Carnegie Mellon and Purdue as having good programs in this field. “Cybersecurity education at the university level is a lot better now than it was, say, ten years ago,” he said. IDG staffThe annual Black Hat conference also has a lot of content related to application security, he added. “Their historic talks are archived, and there are a lot of white papers online.”People looking to move over from application engineering can also get certifications and attend training programs, he said, though they most often focus on operational security rather than application security. As with other security fields, there is a wage premium. The national median salary for an application security engineer is $98,040, according to Glassdoor, while the salary for an application engineer is $82,467.Plus, it’s another growing area, said Bettini.“It’s no longer just technology companies developing software,” he said. “All of the Fortune 500 have become software companies, and are facing increasing cybersecurity risks, so it’s causing them to hire more application security engineers.” That, and the demand from the vendor side, is driving wages up, he said.It’s the area of cybersecurity that’s had the least investment so far, and is the most immature, said Kennet Westby, chief security strategist at Denver-based Coalfire Systems, Inc. “It’s an area where we’re seeing huge demand.”Most of the application security engineers he’s hired come from an application development background, he said. download How to become an application security engineerCSO Online Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe