How To Get Into Application Security?

The Ultimate Guide to Becoming an Application Security Engineer

Discover the secrets of Application Security and learn what it takes to become an Application Security Engineer. From rewards & challenges to the desired skill set.

The Ultimate Guide to Becoming an Application Security Engineer

Stay up to date

Subscribe to never miss content like this


  1. Introduction
  2. What Is Application Security?
  3. Do I Need A Degree To Get Into Application Security?
  4. Application Security Foundational Skills
  5. I Don't Know How To Code. Is AppSec For Me?
  6. Application Security Skills
  7. Soft Skills
  8. Tips
  9. Building Skills
  10. Have Skills? Landing That AppSec Job
  11. Conclusion


Nowadays cybersecurity is a concern for every company out there. One of the main reasons for it, is the ever increasing number of cyberattacks happening out there. As a result, companies need to keep their assets secure. By assets, I mean eveything from software, hardware, networks to data, and everything in between.

Because there arent't enought people working in cybersecurity to fill out industry necessities, it quickly became a well compensated career path (although in tight economic environments, cybersecurity professionals are no exempt from layoffs). This makes it attractive for some people outside the industry to attempt a career conversion.

First of all, as most hard things that humans achieve, it's easier when you're passionate about what you're doing. If you're not in that category, it might be difficult to stay on course and up to date with the latest. Cybersecurity doesn't really have a path with instant gratification. Application Security (and all cybersecurity domains), is a very dynamic industry. New things appear all the time: new tools, new vulnerabilities, usage of AI in an offensive or defensive purpose, all of which can cause rapid shifts in priorities. At the same time, you have your day to day activities that need to be done. Things like helping developers fix stuff, security assessments, threat models, tool onboarding and so on. On top of that, you have to constantly learn, maintain and grow your skills (trainings, CTFs, certifications - some disagree with the latter, but I think they're helpful especially for beginners).

Another thing that you might encouter in Application Security, is that you'll wear a lot of hats. Cybersecurity teams are usually understaffed, so it can be a very dynamic and fast paced work environment with frequent context switching between tasks. One day you might reverse engineer something, another day an incident happens and you have to follow response procedures, and day after you might even have do forensics work. It's not like that everywhere, but don't be surprised if it happens. Some like that, while others might prefer to stay within their focus areas.

The fact that you have learn constantly can be attractive to some, while discouraging to others. If you enjoy learning and challenging yourself, you won’t be bothered. Simple as that. Love what you do and you will never work a day in your life, right?

What is Application Security?

Application Security is the process of improving the security stance of a software product by establishing, implementing and verifying security measures applied at the application level, but also around it (infrastructure, containers, build & deploy processes, etc). This aims to prevent security vulnerabilities and exploitation of threats like code execution, injections, etc.

Application Security is becoming more and more important in today's world of cloud connected applications and Software-As-A-Service. And this will only continue to grow, as companies externalize services and move to the Zero-Trust Security Model as working from home gets adopted by companies.

Why is Application Security important? Short answer: the earlier you find a security vulnerability in the Software Development Lifecycle, the earlier you are able to fix it. Hence the "shift left", or the newer "shift everywhere" mantra that you'll hear from every Application Security engineer. One of the reasons behind these buzz words is that it's way cheaper to fix vulnerabilities at design or implementation time rather than after the code is deployed. There are security tools and processes for pretty much every step of the SDLC. Of course, even if implementing them all, your application probably won't be 100% secure, but it's a great start. For the long answer, keep reading!

Do I Need A Degree To Get Into Application Security?

No. If you have the necessary skills and prove it, the lack of a Computer Science degree won’t stop you from landing a job. Of course, there will be companies or hiring managers sensitive to this requirement, just like there are others which require a specific security certification. Or some kind of experience.

Needless to say that having a college degree in Computer Science will definitely ease the path for you.

Application Security Foundational Skills

Like most technical jobs in cybersecurity, working in Application Security requires some foundational skills.

Networking fundamentals are a valuable skill for cybersecurity in general, not just Application Security. Although you probably don't need to go into the nitty-gritty, being comfortable with TCP/ IP and UDP is required for understanding a great deal of computer protocols.

In Application Security, you should be familiar with DNS and HTTP (with its versions, WebSockets, etc). Depending on the type of products a company handles, an AppSec engineer will probably encounter a lot more diverse protocols considering the variety of software stacks that exist.

Knowledge in what a proxy is and how to use one is a vital skill, as both applications and users make use of them. You should be able to understand and explain at least what happens when you visit a website in your browser: from DNS to web servers, reverse proxies, caches, proxies, redirects, etc.

Some system administration know-how is also nice to have. The more you know your way around different operating systems and related concepts, the better and easier it will be later on.

Most people are familiar with Windows as their operating system. As most Enterprise apps are either deployed to Linux servers, Docker containers or Kubernetes clusters, knowing your way around a Linux terminal is essential for an Application Security Engineer. Furthermore, MacOS is also present on lots of client machines.

Make sure you're able to:

  • manage files and folders (mv, cp, rm, etc)
  • search for things (like grep, find, etc)
  • filter (grep, cut, sort, sed)
  • edit files (nano, but some systems don't have it, so knowing some vi commands will help)
  • list and kill processes
  • undertand Unix pipes
  • do basic shell scripting (or python/similar)
  • Make sure you understand how to use the most important feature of SSH (from SOCKS tunnelling using -D, file transfer, scp, to [reverse] port porwarding).

    Give Apache & Nginx a look and look at how virtual host routing works. Understanding how typical web-server software is configured can also help in finding exploits or bypassing mitigations. Or just understanding how the different deployed layers of an application work together.

    To get acquainted with Linux faster, you can switch your main machine to a Linux OS, like Kali or Ubuntu. Kali is maintained by Offensive Security (makers of the security certifications with the same name) and comes bundled with a lot of security tools, from scanners to exploits and wordlists. So you get a very comprehensive toolbox to use in your bug hunting activities.

    If switching your main OS is not possible, you can just use a Virtual Machine. However your progress will be slower as you probably won't be using it as much. You could compromise and use a MacOS system, which has some of the Linux flexibility, coupled with a nice GUI.

    Another option for fast tracking your sys-admin skills is to build a virtualized home lab. This will be fun, challenging and a learning experience at the same time. You can then experiment with different OSs, make backups and snapshots and explore other benefits of virtualization.

    Hardware setups can vary, depending on budget and what you want to achieve with your home lab. You can use an old laptop and leave it plugged in somewhere. Of course, this probably won't work for long as they are not designed for non-stop use. If you live in an apartment, you might want something compact, silent and with decent performance. An Intel NUC can work in these scenarios. Personally, I went with an entry level Server motherboard from Supermicro (mainly because of IPMI and support for ECC RAM) with a e5 Xeon CPU. Not great, but I can run ESXi with FreeNAS, Windows for gaming (passing through an old non- supported GeForce 2070), and a bunch of VMs at the same time without issues. Hit me up if you’d like some tips into that!

    I Don't Know How To Code. Is AppSec For Me?

    It definetely can be. However, having coding skills would be a huge advantage. First, learning to automate things via scripting is useful and most of the time necessary. You will definitely encounter repetitive tasks in your day job which need to automated. Why waste time doing something boring when you can use that time to challenge yourself?

    Scripts are also used to build and deploy tools, applications or even infrastructure. Sometimes you'll need to create a quick proof of concept to demonstrate a software vulnerability. Or perhaps you will need to grab data from some vulnerability scanner's API to import in some other tool. You get the point.

    The common programming languages you should look at here are python, ruby, php and shell scripting like bash/zsh (Linux/MacOS) and powershell (Windows). Python is very easy to use, is available on most platforms and it's a great language to start with. There are tons of tutorials online. Whatever you choose, you need to learn some common programming concepts, and the rest is just syntax. Which you can easily google for each programming language you encounter.

    That could be enough, if you were to pursue other fields of cybersecurity. However, in Application Security you should also have more advanced programming concepts like Object Oriented Programming, design patterns, software engineering best practices and of course, knowledge about secure coding practices.

    Why? An important skill in AppSec is being able to do a white or gray-box security audit on a software product. White-box just means you have full access to source-code and to all of the necessary technical documentation (if it exists). Having coding skills helps you recognize how and why code is written the way it is. And with that, it will ease identification of what and where typical security vulnerabilities might appear just by following the code in an editor. With experience, you'll know what to look for in each audit, depending on what the application does (on a functional level) and the programming language it's written in (some programming languages have specific vulnerabilities).

    Bottom line is that you should be prepared to read and understand a variety of programming languages, depending on what your (future) employer is using. Hence having coding skills is a big advantage.

    The pogramming languages worth mentioning are: C, C++, C#, Java (including Kotlin/Android) and Assembly. You don’t need to master all of them. It depends on what you like and where you would like to focus your initial efforts. You should know one very well though.

    The good news is that except for C & Assembly, which is are lower level languages, the others have similar features and syntax. In the enterprise and web world, high-level languages are common because they are safer to use and easier to learn and maintain. The embedded and IoT fields mostly make use of C or C++ because of hardware or performance restrictions. Assembly will be required if you do reverse engineering, malware analysis or exploit development.

    Application Security Skills

    Besides the foundational skills previously mentioned, there are some Application Security specific tools and methodologies to be aware of: from simple things such as what is a black-box vs a white-box audit, to knowing what scanning tools like SAST (Static Application Security Testing), DAST (Dynamic AST) or SCA (Software Composition Analysis) do, with pros and cons, to more complex subjects like threat modeling.

    Where to start? NIST and OWASP are two industry recognised organizations that offer frameworks, guides, tools and best practices guides for cybersecurity programs. You can start with NIST publication 800-53 and OWASP Web Security Testing Guide. Note that even if tailored for web-apps, lots of information from the OWASP document applies to all kinds of applications. These are very comprehensive documents (several hundreds of pages each), but you don't really need to know them by heart. However, you should what they are about at least.

    By going through those documents, you'll probably encounter lots of new terms you'll need to research and understand. It might be a bit overwhelming at first because of all the new information, but bit by bit, everything will fall into place.

    As applications have grown in size, code and deployment complexity, releasing new features faster, become a necessity. Thus DevOps appeared to fill in this gap. Most companies have some kind of build and deploy pipelines for their software products.

    So why not integrate security directly into those pipelines?

    First, let's see what resources are required to handle a newly discovered security vulnerability:

  • 1. Suppose a vulnerability is reported by a security researcher in an existing public app via your bug bounty program.
  • 2. You, the Application Security Engineer, validates the issue and notifies Engineering about it. This would probably include opening a ticket in a management system like JIRA.
  • 3. Then, a developer would triage that issue and confirm it as valid or reject it. Perhaps the issue is a business requirement, who knows?
  • 4. Assuming it was confirmed, a lot more time is spent by the Product, Engineering and Application Security teams for planning, estimating, fixing and validating the fix.
  • You can see how this can add up in terms of company costs.

    You could split the Software Development Lifecycle into the following chronolgical phases:

  • 1. Analysis
  • 2. Design
  • 3. Implementation
  • 4. Testing
  • 5. Deployment
  • 6. Maintainance
  • The previous example (the vulnerability is discovered in a bug bounty program) is basically happening in the 6th phase of the SDLC process (maintainance).

    The goal of “shifting left” is to add security controls at each step of the SDLC to detect and mitigate vulnerabilities as early as possible, with the lowest possible cost. Hence the notion of Secure SDLC appeared. For example, at step 1 (Analysis), one would have to also establish security requirements. In the Design step, Threat Modeling can help identify and mitigate certain threats before writing any code, just by building a secure architecture. In the Implementation phase, one would use static analysis tools (SAST), and dynamic scanning tools (DAST) in the Testing phase.

    Integrating security controls and tools into Continuous Integration and Deployment pipes takes a good amount of work and maintenance which lead to what is known as DevSecOps.


    Short for Developers, Security, Operations, DevSecOps automates the integration of security at every phase of the software development lifecycle, from initial design through implementation, testing, deployment, and delivery.

    DevSecOps appeared as the industry adopted Agile and DevOps, making the SDLC shorter and shorter (from months to days). When the SDLC was long and companies were releasing a couple versions a year, security was mostly an afterthought and was mostly added-on.

    In today's world of micro-services, when releases are down to days, that's no longer a viable option as it becomes a bottle-neck in the process. So a big benefit of the DevSecOps approach is that it brings speed and security to the SDLC. Engineering teams deliver faster, more secure code, thus lowering costs.

    From the co-author of the DevSecOps Manifesto: "The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety requirement".

    DevSecOps brings a repeatable process with which you can apply security controls in a consistent manner across the organization, achieved through automation. Proper security controls prevent the introduction of new security vulnerabilities or components with known CVEs into the application.

    Every company is different, so each will have a DevSecOps process adapted to their specific technologies and protocols. Depending on how mature a company's AppSec program is, you might end up doing a certain amount of DevSecOps work.

    Small software companies usually have a small cybersecurity team, with only a few people (even 1) working on Application Security specifically. Their Application Security programs are in their infancy, cyber security policies might not exist or be enforced by security and management. Likewise for security tools. You might not even have a budget. So open-source tools might be your only option.

    Then there's the company culture aspect. Since security is probably not the number one priority for these companies, you'll face various hurdles while trying to implement AppSec into the SDLC process, such as push back from developers, managers or other stakeholders. Security isn't always considered a feature. It doesn't usually make money for the company, so the things that do are prioritized.

    However one can make a point that history has shown us plenty of security breaches that brought heavy impact to companies, even to the point of bankruptcy. So you should try to influence and make friends among stakeholders: find top-down and bottom-up support, create security policies, use free tools, and eventually budgets should come.

    Bigger and more software-focused companies tend to have bigger AppSec teams and mature security programs. Tools, policies and processes are probably already in place, so there would be some work to be done for maintaining, on-boarding of new projects, evaluating new tools, etc. This kind of work might get kind of repetitive and tedious. However you'll be able to see the impact of your work sooner, because security is a priority driven by a proper security culture.

    Threat Modeling

    According to OWASP, "Threat Modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. Threat modeling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the Internet of things, business processes, etc. Threat modeling can be done at any stage of development, preferably early - so that the findings can inform the design."

    Threat Modeling is a process where one gathers relevant stake-holders (security, engineering, product, etc) and go toghether through a process of representing how the application works, documenting a list of security assumptions, threats, corresponding action to be taken for each threat and a way of validating that those mitigations work. It's usually performed as a white-board exercise with all the team-members in the same room.

    Threats can be discovered via brainstorming or by using a structure to help think it through like STRIDE, Kill Chains or CAPEC.

    In the Agile context, Threat Modeling can be applied at the sprint/iteration level. Each sprint one can evaluate the changes in system architecture and if and how they affect previous threat models.

    Mature Application Security programs perform Threat Modeling on a regular basis (might even be a requirement for some). When starting-out in Application Security, you probably won't be doing too much of it. In my experience, it's usually the more Senior people who lead them. But of course, you'll have the chance to sit with them and learn the process yourself. Nonetheless, you should definitely be aware of what a threat model is, how it's executed, frameworks, etc. NIST and OWASP are great resources for learning about it. You can try some theoretical exercises, like "how would you threat model the X web-app?"". Similar scenarios might also come up in Application Security Engineer job interviews.

    HTTP & Proxies

    As most web applications use some kind of HTTP communication with a backend server, you will need to be comfortable with understanding HTTP (with all its versions), browser mechanisms like cookie security attributes and security HTTP headers and CORS. Sometimes you'll need to take a peak into what happens inside those requests. Or perhaps try to bypass security measures by sending modified HTTP requests. Or you might need to automate the sending of some HTTP requests, like a login or something. For some, you can use a browser or an extension like Postman. However, they're not really made for AppSec use.

    Fortunately, there are tools specifically built for this purpose. They are application intercepting proxies and offer a variety of functionalities for dealing with those problems. As the name says, they allow you to intercept HTTP requests. You can then log, tamper, repeat, block or forward those requests. Besides request interception, these tools offer ways of sorting and filtering requests, encoding/ decoding data, automating requests or even scanning for security vulnerabilities.

    One of the most used tools of this kind is Burp Suite. It has a free Community version that has all the functionality you need. The Pro version includes an automatic scanner and removes some restrictions (which is nice to have, if you can afford it).

    If your focus is web-apps, either working in Application Security or just doing bug bounties, Burp Suite is like a swiss knife in terms of tools you need. If you have some scripting skills, you can even extend its functionality by writing custom plugins. Need to add a custom header to some responses? No problem, code it yourself.

    I love Burp Suite and it's probably the tool I use most when looking for security vulnerabilities. And this doesn't apply only to web-apps. You can intercept desktop or mobile app requests just as fine. I use it just about every day and it's simply awesome. There are alternatives to Burp Suite, like OWASP ZAP or even Charles (MacOS), however Burp is the one I've grown to like most as it brings the best set of features for my needs.

    There are many products out there that don't use HTTP communication. However, I feel that is rarely the case these days and being comfortable with Burp/Zap/other similar tool is a requirement for an every Application Security Engineer.

    OWASP Top 10

    If you're not convinced of how much OWASP helps cybersecurity with it's free resources, you'll get another chance to change your mind. You might have heard of OWASP Top 10. If not, you should google it and read more.

    In a few words, OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. You should be familiar with most of the risks described in the OWASP Top 10, as it's a great step towards building more secure code.

    There are well known things there like: Injection, Broken Authentication, XXE, Broken Access Control or Cross-Site Scripting.

    To better understand each one's impact, I found it beneficial to practice vulnerability exploitation. So after you understand what a vulnerability is, what causes it and how it can be fixed, you can try exploiting it.

    Where can you practice? You have a bunch of options: online platforms, CTFs or “vulnerable” applications designed to practice security skills. You can find a few apps on OWASPs GitHub: WebGoat, SecurityShepheard or SecureCodingDojo. Just deploy them on your local machine and have fun.

    Demonstrating security impact will also help you deliver a convincing argument to Engineering and Product teams, while contributing to better prioritization. In mature AppSec programs, the need for convincing work is way less as people tend to be more open to fixing security issues.

    On the other hand, in less developed programs, people will need more convincing and proof of impact. Because of lack of security training, relationships or just plain distrust in security teams ("they give us more work", "I don't care about this", etc), some vulnerabilities might seem only theoretical without an actual proof of concept to some people. It's your job to educate them and expand their security awareness. Which is a win-win situation. But you can't do that, unless you have a good grasp on those concepts yourself.

    Security Testing Methodologies

    There are several frameworks out there that can guide you on how to perform a security audit. You can get started by looking at the Penetration Testing Execution Standard (PTES). It covers the basic steps of executing a penetration test:

  • Pre-engagement Interactions
  • Intelligence Gathering
  • Threat Modeling
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting
  • A great reference tailored for web-apps is the OWASP Application Security Verification Standard. The ASVS is a list of security controls that provides a basis for testing web applications. It can be used by security professionals to have a structured and comprehensive assessment. But because it also acts as a checklist, it can be used by developers as a reference to adhere to secure coding practices.

    The major advantage of using ASVS (or a similar framework) is that you can normalize security controls across the entire line of software products. Developers know what controls should be in place and security people know what to look for. And it's a repeatable process. You can even adopt or adapt parts of it and add them to your Application Security Policy.

    The ASVS controls list is divided into 3 levels:

  • ASVS Level 1 - low assurance, but is completely penetration testable by humans
  • ASVS Level 2 - for apps containing sensitive data and is recommended for most apps
  • ASVS Level 3 - for critical applications (high value transactions, medical data, high trust, etc)
  • "Testable by humans" just mean that you can do it in a black-box manner. Levels 2 and 3 require access to source code, documentation, build/deploy environments or other human resources.

    Note that you don't actually need to know ASVS by heart. But knowing about its existence and what it's used for, can be immensely helpful in your Application Security career. A lot of the security controls from ASVS aim at mitigating OWASP Top 10 risks.

    You can see how these two work together to create a security policy and a testing methodology at the same time.

    Reverse Engineering

    Reverse engineering experience might be a requirement for some Application Security roles. Even though it probably won't be the main part of the job. It's just one of the many hats an Application Security Engineer might have to wear.

    You don't necessarily need to be a rockstar malware reverse engineer, but knowing your way around Ghidra/IDA/radare2 is definitely an advantage. You could learn basic stuff about how binaries and memory are structured, typical binary and memory protections (DEP/NX, ASLR, PIE, etc), what is the stack, heap, how a stack buffer overflow works as well as heap vulnerabilities.

    In the web world you won't really get to use those tools, hence it probably won't be a hard requirement. However, you might encounter Java and .NET applications. These applications are easy to decompile from their byte-code encoding to readable source code using public tools (see jadx for Java and dotPeek for .NET). Since source-code is extremely helpful for finding, confirming and exploiting a vulnerability, these tools are of great help to an AppSec Engineer.

    You can practice reverse engineering by resolving "crackme"s. These are challenges built by other people designed to teach a technique or concept to reverse engineers. They usually have a diffculty rating, so you can progress from easy to hard challenges when you're ready. Hackthebox has some similar challenges, if you don't now where to start.

    Soft Skills

    Communication skills are very important in Application Security. You need to be able to communicate efficiently with Engineers, Managers, Sales, Legal, vendors, researchers and others. Usually, the smaller the company and the AppSec team, the more hats you're going to wear and deal with a bigger variety of people. Not everyone will be technical, so you need to be able to adapt to the various scenarios.

    Of course, you'll need to be able to work in teams: AppSec teams are usually small, so you're going to need all the help you can get from your team mates. You'll also need to be able to work in a “fast paced environment” (in HR talk). Priorities change all the time, so be prepared to context switch frequently. Right now you're trying to deploy a tool, next thing you know you're entering an incident response call.

    Context-switching is contra-productive for technical work, as you get out of “the zone”, but it is what is it. Jumping around from task to task might be frustrating, especially for inexperienced engineers as it builds up fatigue and can eventually lead to burn-out. I think that this is also one of the reasons that Junior positions are rare in cybersecurity. Juggling multiple tasks gets easier with time, when you already have a solid knowledge base. When you're just starting out, the pace of which you have to learn new things in cybersecurity can be exhausting.

    You need to have good time management and respect for your time and personal life to avoid that. Reserve continuous time at work for intensive tasks, training or whatever you need and make sure you stick to it.

    Aligning With Business Needs

    Another important skill is the ability to understand the business needs of a company. For example, a CRM company would have different security needs than a payment processor or a clothing company. You need to be aware of this to be able to communicate efficiently with the people responsible for the business. And with the ones responsible for driving the fixes. There is no universal approach to this, as every company is different, but it's definitely a thing you should be aware of.

    For example, a company building a smart door lock, could ask at the interview how would you secure it? You have to create a threat model considering radio injection and jamming attacks, physical attacks plus the software side (internet connection, authentication etc).

    In the end, the business mostly cares about the money. How much do we risk if we don't fix a problem versus how much would it cost to implement the fix?


    The security industry evolves at a fast pace. New vulnerabilities, tools or techniques appear almost every day, so it's important to be aware of what's happening. Depending on your interests, there are sites or groups for every security niche. Reddit has some good subreddits like /r/netsec. You can build an RSS list. Or another great way to get the latest is to follow people on Twitter. Just start following known members of the security community, and over time your list will get bigger and bigger.

    A common warm-up interview question is "where do you get your security news?". Or how do you stay up to date? Of course, they don't necessarily care for tips from you. They want to see you're connected to what's happening in the industry. It might even give a glimpse into the level of passion you have and willingness to learn and grow.

    Conferences are great because you can meet people and make friends working in InfoSec. You also can promote your ideas or make connections. At same time, you're staying up to date with research while having a beer. There are some great conferences all over the world, so just google for the ones closest to you. You can also check OWASP meet-ups as they happen pretty much everywhere and they are great ways to get into the security community.

    Or you can subscribe to my newsletter (on the homepage). Easy!

    Document Everything!

    Learn to document your actions. Writing documentation is part of cybersecurity. From reports, to policies and procedures. You can even post some of it (non-company informatio, of course) online and give back to the community. Built a tool during your research? Post it to GitHub.

    Having technical side projects shows your interest in technology and your ability to learn. Personally, I'm always working on some-kind of automation. Or perhaps have fun on some CTF challenge. It can be anything.

    Things like these can improve your chances of landing that AppSec job you wanted, especially when you don't have that much experience. You should avoid answering with “no” when an interviewer asks you if you have side projects.

    A project demonstrates that you identified a problem and solved it by finding, creating or adapting a solution. The ability to problem solve is crucial in cybersecurity, as it moves quickly and you will find yourself in new situations all the time. You'll need to do on the spot research or perhaps apply a technique or react to something totally new, you've never seen before. I consider this to be a perk of the job, as it makes it diffcult to get bored. Some people however, may not enjoy this work style.

    Building Skills


    A great way to build your skills is to participate in Capture The Flag (CTF) events. They are called like this because your objective is to obtain a flag, usually in the form of a string (or a hash). Possessing this flag proves that you completed the challenge.

    There are several types of CTFs, including live and online competitions between teams of hackers. And then there are platforms like HackTheBox. This is a pen-testing lab where you can practice offensive network security in a safe and controlled environment. This means everything from port scans, binary exploitation to web-app exploitation. It also has several simpler challenges for multiple security fields like cryptography, steganography, forensics, etc.

    This is the platform I used to get most of my training before embarking on the OSCP journey and I found it extremely valuable. I did almost all the active machines for a couple of months, except for a few hard ones. The free account on HTB offers 20 free active machines at a time. Every week, one machine gets retired and a new one is added to the active pool.

    Doing these types of exercises will grow your fundamental knowledge required in Application Security (and some more!). You'll enhance your shell scripting, networking and programming kung-fu. After you hack a machine, look up write-ups and see if people found a different way of hacking that machine. Everything you need is out there.


    Since we mentioned certifications, getting one is a great way of gaining knowledge or proving that you have it. So are security certifications worth the money?

    Yes, at least some of them. There are lots of companies which require some security certification to get an a job. And there are others that don't. But they do appreciate them. Ultimately, most companies evaluate the entire package:

  • certifications
  • experience
  • hard & soft skills
  • other aspects which add up to create a good candidate.
  • If you don't have certifications, but know your stuff and prove it in the interview, you have nothing to worry about. But it helps if you do. Even more if you are just trying to get into the field.

    Some good starting security certifications:

  • SANS courses - GSEC, GPEN, GWAPT. These are pricey (~7k USD), but very comprehensive and they pretty much have a course for almost any area of security. You get lots of information as books which you can use during your exam. However, due to the huge amount of information you need to search though, you need to create some indexes for the 3-4-5-6 books you get to allow you to quickly find the info you're interested in. A downside of SANS courses is they expire and you have to renew them. Note that the exam is ~2k USD.
  • Offensive Security - OSCP, OSEP, OSWE - OffSec give you all material required to pass the exam. Their exams are challenging, hands-on, and take a lot of time. So be prepared! An advantage of OffSec certifications is that they don't expire. There are other certifications out there, but I would recommend the ones from SANS or Offensive Security.
  • Bug Bounty

    Another way to get experience (and even make money) it to participate in Bug Bounty programs. Platforms like HackerOne and BugCrowd simplify the process of working with a company that has public or private security programs. Always read the program's brief, take notes of what's in scope and what's not, and jump in. Careful of staying in scope, as hacking the wrong servers that can get you a free trip to jail (not usually).

    Some people end up making a lot of money from bug-bounty, while others just do it to prove their skills before obtaining a job. There was a hacker who made 2 million dollars from bug bounty, but I guess those are mostly the exceptional cases.

    Have Skills? Landing That AppSec Job

    Although there aren't really Junior positions in cybersecurity in general, there are some ways to get your foot through the door. Since you lack relevant security experience, you have to prove your skills some other way.

    One way is to get one of those security certifications. They might help you land an entry level position in a bigger, more Senior team. There aren't many good Application Security entry level certifications though. OSCP (or similiar) can get you into the attacker mindset, but it's geared more towards network penetration testing, rather than AppSec.

    Another way to do get started into AppSec is to move laterally inside the company you already work at. The best AppSec Engineers are great Software Developers or have good experience in at least one programming language. But this means they can read code in pretty much any language without too much hassle.

    So if you work as a Developer, try to pick-up security skills. Security vulnerabilities are just code quality issues, right? As a developer, you probably already encountered some of them. You just need to make your desire is known inside your company.

    If you don't have an AppSec team, perhaps there are Security Champions or something equivalent. Security Champions are the go to guys inside a team or organization for security issues. Try to improve the security posture of your application: add SAST, DAST or SCA tools. Train some colleagues on security issues or similar.

    If you're not a developer, you can try to learn some programming and/or get a security certification. There are great AppSec Engineers coming from QA, DevOps, or completely unrelated fields, so it's definitely possible. Keep growing your network by going to conferences, attending CTFs and social media, and you should be able to get some interviews going.

    Note that companies having a small or non-existent AppSec team will probably look for more experienced Application Security Engineers. Bigger teams will be more willing to embrace a cybersecurity noob, so keep that in mind when applying for interviews and don't get discouraged if you get turned down a few times. You could just ask the interviewer what is the team size. Lots of companies advertise they're looking for Senior AppSec Engineers, but end up interviewing all kinds of candidates due to the shortage of talent. Depending on your skills and your ability to demonstrate willingness to learn, you might get the opportunity.


    I hope this guide helps you achieve your goals of getting of landing that Application Security Engineer position! If you have a good grasp on the things mentioned here, you won't have a problem getting into AppSec interviews.

    Don't be discouraged if the first attempt doesn't land you that dream job. Just keep trying and you'll get there! The AppSec world is huge, and it keeps growing as more and more companies focus on their security. There's definitely a place for you! Thanks for reading.

    If you found this guide helpful, please let me know by subscribing for more content like this!

    About the Author:


    Application Security Engineer and Red-Teamer. Over 15 years of experience in Application Security, Software Engineering and Offensive Security. OSCE3 & OSCP Certified. CTF nerd.