How to Be an App Security Consultant5 Skills That Will Set You Apart
Application security is fast becoming the most challenging aspect of information technology. Not surprisingly, it drives demand for highly skilled consultants. I've been working in the field since the mid-1990s and have built two successful consulting practices. So, today I'd like to share some of the characteristics I look for in promising consultants. (Also, read: 5 Application Security Tips
Everyone in application security needs to have a strong background in software and security. But what sets a candidate apart from the rest? Here's a quick summary of what strong candidates should be thinking about:
Only a small percentage of people really enjoy making software do things it wasn't intended to do.
Software: To work in application security at all, you need a strong software engineering background. That means you should probably have a strong aptitude for software and a few years of professional software development experience - ideally on a variety of languages, frameworks and technologies. A computer science degree isn't absolutely necessary, but highly recommended.
Security: Only a small percentage of people really enjoy making software do things it wasn't intended to do. If you're one, then you might just be an application security person. Your foundation should include risk management, security architecture, common weaknesses and vulnerability analysis. I strongly suggest learning to clearly explain common vulnerabilities, starting at the high-level business concern, working through the technical flaw, and closing with detailed remediation advice.
The Open Web Application Security Project (OWASP) is a great source for people getting started in the field. You can start with the OWASP Top Ten and move up to more detailed documents like the OWASP Testing Guide and the Application Security Verification Standard (ASVS).
I highly recommend getting some hands-on experience by using OWASP WebGoat, a vulnerable application designed to let you experiment with different types of flaws. You should also get familiar with testing tools like OWASP Zap, a security testing proxy. To develop your model of what security controls ought to look like, study the reference implementation of the OWASP Enterprise Security API. You can learn a lot from others by attending OWASP Local Chapter meetings and our conferences.
That's a good start if you just want to work in application security. But this blog is focused on the additional skills you'll need to be a top application security consultant - a trusted advisor to organizations producing the applications that have become critical to government, finance, defense, healthcare, energy and other industries. It's a challenging profession, and I've broken out five key skills that will distinguish you in the field.
- Fearless ability to conquer new technologies: Our consultants face all kinds of technology from mainframe to mobile and everything in between. You will need to be able to digest novel architectures, reverse-engineer application environments extremely quickly, and interpret security principles to discover vulnerabilities. The best way to build your skills is to practice by verifying the defenses of open source applications.
- Innate business acumen: Good consultants have the innate ability to understand a business, including the people and processes. Many application security experts are introverts and focused on technology, but you can't provide good advice without deeply understanding the business context. Do your homework and learn about your client's industry.
- Superhuman efficiency: The reality of our market is that organizations have far more applications to secure than there are consultants to help, so the time pressure can be significant. To verify applications quickly, you need to develop your ability to design and execute super-efficient security experiments. You have to be able to jump between a running application, the source code, and your tools quickly.
- Grow relationships: While your client may be focused on the immediate project, you need to think about strategic opportunities to improve their capability and plan out a roadmap to help them get there. You need strong people skills to manage complex organizational relationships and politics.
- Dynamic leader of culture change: The best consultants are able to understand the culture of an organization and how to influence it. You need to inspire your client, structure a program they can believe in and deliver tangible results. To build your skills, work on your storytelling and presentation skills, start teaching and speak at conferences.
For the right person, a career in application security consulting is incredibly fulfilling. You learn about a huge range of businesses and experience a wide variety of technologies. You may enjoy the endless stream of interesting challenges in finding security weaknesses and designing effective solutions. Or perhaps you like the idea of protecting systems that perform a critical function in society. Or possibly you believe that software can help mankind achieve new heights, and don't want to see hackers slow our progress. Whatever your reason, I hope you join us.
Jeff Williams is the co-founder of both OWASP and Aspect Security, a consulting company focused exclusively on application security and training services.