I've been doing application security consulting for over 20 years. When I first started, it was hard to convince customers to care about security. Now there's so much work that skilled professionals are in very high demand.
I've talked to hundreds of AppSec professionals over the years both at work and at OWASP, and universally they find the work to be interesting, challenging and constantly evolving. This field is particularly attractive to those who like puzzles and figuring out how things work that no one else really understands. To me, this makes entering the AppSec field a strong career move for anyone interested in this kind of work. I don't care how old you are, there will be demand for this kind of talent for the rest of your career.
AppSec consulting isn't just about finding vulnerabilities. Mature organizations focus on preventing them in the first place.
However, if AppSec was easy, the supply of talent would meet the demand, and currently that's not the case.
The key ingredients to being a good AppSec consultant are: a strong interest in this kind of work; the right technical and business background; strong aptitude; and, for many, a willingness to travel at a high tempo. Here are the key skills and interests that make a great AppSec consultant:
- Security DNA: The ability to see things that aren't there. Like Sherlock Holmes solving a case by noticing that the dog didn't bark. This may be something that some people just will never get, like programming with pointers. But if you have a natural ability with puzzles and won't let go of a problem until it's solved, maybe you can develop your gift and use it for finding vulnerabilities.
- Strong Background in Software Engineering: This is a must in my opinion. Several years of experience developing enterprise software is very helpful. If you've risen to a team lead or architect, you are well positioned to be a great AppSec consultant.
- Interest in, and Exposure to, Application Security: Many companies are willing to train experienced software engineers to become AppSec consultants. If you've had a chance to focus on AppSec already, that's a significant bonus.
- Ability to Learn New Technologies: Technology evolves quickly. Exposure to a wide variety of technologies and languages is helpful, but willingness and ability to learn more quickly are fundamental.
- Helping Customers Push Left: AppSec consulting isn't just about finding vulnerabilities. Mature organizations focus on preventing them in the first place. The earlier (i.e., left) in the development lifecycle you focus on security, the less expensive the overall costs will be. Helping clients push left efficiently and effectively is a key skill. This includes activities such as threat modeling, architecture review, developing standard security controls, and teaching developers how to write secure code.
- Strong Interpersonal Skills: AppSec is not just about finding vulnerabilities. It's about helping your clients cost effectively manage and reduce risk. Good consultants quickly understand their clients' business, including people and processes, and use that understanding to build relationships to help the client make good risk decisions.
Personally, I find the amount of travel required can be difficult. While I like traveling to new places, a high travel tempo or traveling to the same place over and over can get old. On the other hand, traveling provides exposure to a variety of projects, customers, applications and technologies. This helps grow your technical and interpersonal skills, and variety makes for interesting work. So, you'll have to weigh the benefits against the drawbacks based on your personal situation.
How do you find a great company to work for? Look for a company with these characteristics:
- Strong Team: The fastest way to learn and grow is to work with others who have strong skills and who are constantly advancing those skills.
- Variety of Work: Opportunities to work on many different engagements for a variety of customers. The variety of technologies, languages and architectures will challenge you, but will also keep things fresh and interesting, and enable you to expand your knowledge base.
- Support for Education: Provides significant training/mentorship opportunities.
- Opportunities for Responsibility: Gives you the ability to grow in responsibility as fast as your capabilities mature.
- Good Work/Life Balance: Does the company expect a reasonable work week and an appropriate travel tempo?
Landing that dream consulting job isn't easy, even with the strong demand that's out there. To distinguish yourself in the marketplace:
- Get Experience: If you aren't already doing AppSec, become the AppSec champion on your development team, or work on an open source AppSec project. Making valuable contributions to open source projects is a great way to showcase your technical and interpersonal skills and distinguishes you from other candidates. If you are new to AppSec, read the OWASP Top 10, which links to numerous free resources for you to continue your education. Get some hands-on experience testing vulnerable applications like OWASP's WebGoat using proxy testing tools like OWASP's ZAP.
- Specialize: Further develop your skills in specialty areas like: manual code review, mobile security, reverse engineering and web services.
- Lead: Demonstrate strong interpersonal skills by gaining project management, team lead or training delivery experience. Speaking at conferences is great for your resume.
Good luck landing that AppSec consulting dream job. It's a great field. Look for me at the next OWASP conference, as I would be delighted to meet you.
Dave Wichers is the co-founder of both the OWASP Foundation and Aspect Security, a consulting company focused exclusively on application security and training services. He serves on the OWASP Board and is the OWASP Top 10 project lead.