AppSec For New Professionals

Getting into Application Security can be daunting, but there is a way

As podcasters, we are often asked what it takes to get into Application Security. While there is no “one true way” to get into Application Security, we have talked with individuals on the podcast with a range of backgrounds, from coding or engineering to circus performers (seriously). All it takes is a desire to learn, time to explore different application security topics, and to get involved.

Some people have winding paths into AppSec

So where to start? It is often said that the best application security engineers were software engineers in the past. While the ability to code enterprise applications is definitely a plus, it is not a hard and fast requirement. That being said, the ability to read code and understand application interactions is a definite advantage to finding and fixing application flaws. When facing a language, or framework without prior experience, one of the first things to do is read the documentation, follow a tutorial, and write a small hello-world application using that specific technology.

In other words, if you don’t know how to build or code applications, there is no wrong place to start. Jump into the deep end and build a web application using Node Express, Ruby on Rails, or Django. Or go the mobile route and build something using React Native, Android Studio, or Apple’s XCode. Each tutorial and coding step will teach you how developers think. If you are just starting with code, stick with the basics of Python or JavaScript to get going. There are a multitude of online tutorials for both.

If you have prior coding experience, but are inexperienced with security vulnerabilities and flaws, start with the (Open Web Application Security Project’s (OWASP) Top 10 Web Application Security Risks). OWASP is a nonprofit group of security and software engineers that works to improve software security through awareness, tools, and a number of different projects. Learn to identify the above risks and exploit them using one of the many intentionally vulnerable application (e.g. OWASP Juice Shop, WebGoat, DVWS) and an intercepting proxy (OWASP ZAP, Burp Suite). This process will get you started thinking offensively about how an application is built and how security weaknesses are identified.

Once familiar with common risks, vulnerabilities and exploits, your personal path is dependent on your current role and responsibilities. If you are employed as a developer, look for vulnerabilities within your own code and application, as long as you have permission to do so. In addition, most organizations are implementing or have implemented what is known as security champions programs. Take advantage of these programs to expand your knowledge and interact with others in your company responsible for and interested in security.

If you are a student or currently not involved in any development projects, bug bounty programs make it easy to explore and search for security vulnerabilities in real-world applications. The two most popular programs are currently (Hacker One and (Bug Crowd). Stick to the scoped targets, but don’t be afraid to try looking for common issues, even if the target has been running a bug bounty program for a long time. If you find a security flaw, report it back through the program, document a step-by-step process to exploit the issue, and provide recommendations for mitigating the problem. If you don’t have an idea how the mitigation should happen, research the issue and expand your own knowledge on the issue before reporting the vulnerability.

Once you have decided to go down the application security path, get involved with your local community either through conferences or local meetups. We can’t stress enough how much making in-person connections has affected our application security careers. OWASP and DEF CON Group chapters exist all over the world and meet monthly in most locations. While some topics are advanced, chapter leaders are happy to include topics that are applicable to all and help others get into the industry.

Conferences are great places to meet people and hear the latest research on advanced topics. Don’t discount the opportunity to hone your security skills through the capture-the-flag (CTF) events that run during most security conferences. At a minimum, most CTFs will include application security targets (e.g. web or mobile applications, API endpoints), while larger conferences like (DEF CON) will have specific villages and contests that are application security specific. We have learned more in the past participating in CTFs than attending talks on specific vulnerabilities.

As you become familiar with different areas of application security, do not be afraid to explore different security activities associated with building applications. For example, you may have a knack for secure code review over penetration testing dynamic sites. Or threat modeling may speak to you more than writing authentication routines. While each activity isn’t always required or requested by different organizations, there are those that value the abilities. In other words, find your niche and what you enjoy.

Once you have a target of the job you want, use your network to identify opportunities. Speak up to your colleagues and boss about security in your organization. Volunteer to train others on what you have learned. Explore novel aspects of your chosen topic and blog, present, or otherwise codify your research. The way you explain a topic may help others trying to understand that same topic and will only solidify your own understanding. Put out the resources you wish were available when you started.

Whatever you do, enjoy the ride.