Application Security

Careers in Application Security

IT Security Pros Face a Bright Future in Software Development
Careers in Application Security
After 15 years of managing cybersecurity programs and performing IT security engineering functions, Richard Tychansky, an information assurance engineer at Lockheed Martin Corp., finds his role transforming. From pure security engineering, his job has morphed to being a policy evangelist, responsible for building security into his organization's software development process.

"Developers often don't understand the security standards and requirements that need to be addressed in developing software," says Tychansky, an application security advisory board member for (ISC)2. "My role is to show them how they can apply these recommended standards and best practices in their program."

Tychansky, represents a growing population of IT security professionals worldwide that is getting involved in application security as a new job focus. According to a recent (ISC)2 global workforce study that polled more than 10,000 private- and public-sector information security professionals globally, 22 percent of respondents are involved in some aspect of the software development process. The main reason: the growing risks caused by a variety of development tasks.

"All new innovations in application technology and product offerings by an organization carry an inherent expectation that security will be built-in," says Alessandro Moretti, a senior IT risk executive at UBS Investment Bank in the United Kingdom. "This is pushing the need for IT security to get involved."

In his own role, he has seen involvement in application security in the form of mitigating risks and concerns springing from new product offerings that embrace mobile technology and social media. As a risk manager, Moretti now works closely with software developers to ensure that IT security is part of the development process.

For decades both communities of highly skilled experts - information security and application developers - have remained in near complete isolation from each other, resulting in a software development process that lacks any sort of understanding of technical security risks or concepts.

The information security mindset is focused on risk reduction and achieving assurance. But for a traditional application developer, IT security has been just another attribute of quality that needs to be checked. This perspective is changing.

Bridging the Silos

Emerging technologies, application vulnerabilities and regulatory compliance are forcing organizations to bridge the development and security silos and find avenues for interdisciplinary cooperation to produce software that is secure and better equipped to resist well-known and easily predicted attacks.

Take the case of Tychansky. He embraces a security mentorship role for application developers and constantly communicates with the group to help them understand the impact of security on software development and delivery practices. Example: pointing out which part of codes is usually exploitable and how the vulnerabilities can be fixed. Further, he plays an active role in educating developers on best IT security guidelines and practices from the National Institute of Standards and Technology , Open Web Application Security Project and the International Organization for Standardization to help them integrate security into the software development process.

"The companies that have found a path through the maze," says Alan Paller, director of research at the SANS Institute, "have identified a security-interested development leader on each development team that is trained in secure coding and can shoulder the responsibility for building security skills into every application by leading that element of the architecture, engineering and development process."

Making the Transition

For Brad Causey, a global chapter leader at OWASP, the transition to application development is similar to what Paller notes. From a network and security architecture role, he became an application security leader at a financial institution that is ranked among the top 30 U.S. bank holding companies.

"I saw a growing demand in web application security and realized I could do this, as I understood both security and the risks associated with software development," Causey says.

He finds that understanding IT risks and communicating them to the developers is a big gap he fills. For instance, a software developer does not often understand how an attacker can compromise a web application, exposing the entire network through a single port, resulting in a compromise and the subsequent risks associated with it.

"It is the security professionals who are trained to break and exploit systems to identify potential vulnerabilities and weaknesses in the system," Tychansky says.

Security professionals have spent their entire careers responding to attacks against real systems, analyzing codes and forensics on software, studying attack profiles, understanding common vulnerabilities and threats in applications, impact of weak security controls around software and how to mitigate these risks.

And as such, they are in a position to get involved in the software development process in their own capacities and offer their security guidance and expertise to fill the gaps and challenges that organizations are face when tackling software security appropriately.

Also, the transition for security professionals is advantageous in terms of both salaries and job opportunities within the industry. The salary for an average application developer is around $93,000 USD, ( which is significantly higher than what an average security professional makes: $78,000 USD [(ISC)2 survey].

Online companies and tech firms such as Google, Apple, Amazon, Facebook are increasingly looking for innovative thinkers with knowledge of Android and mobile applications.

Further, the focus on identity management, secure products and access control is driving the need for these professionals in traditional financial institutions, government agencies and healthcare organizations. Positions range from qualified security programmers, web application developers, software engineers to security architects.

New Skills Needed

Security professionals embracing application security roles need to acquire new skills, including an understanding of secure coding and the software lifecycle development process. Causey, who made this transition, recommends:
  • Education: in-depth knowledge of application architecture, the scope and effect of web applications and the risks they pose.
  • Language: Security professionals should get trained in reading at least one or two languages such as Java or .NET to understand how codes can be securely written.
  • Associations: Organizations such as ISC2, OWASP, SANS Institute and ISO provide specific training and education for security professionals in this field, and Causey suggests reaching out and becoming a member for more exposure and knowledge.

"This is not a hard transition for security professionals," Causey says. "In the next several years, the percentage of every company's security team will grow up to 60% by application security folks. This is the time to think beyond firewalls and access controls."

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.