Emerging Careers in Application SecurityHealthcare, Consulting Offer Hot Options to Skilled Pros Application security is rapidly becoming the next hot focus area for information security professionals.
Momentum began to build in 2008, when Information Security Media Group's (ISMG) Application Security Survey showed that 90% of respondents saw application security as somewhat or a significant part of their overall information security programs.
Driving attention to the topic was a bulletin from the Office of the Comptroller of the Currency (OCC), reminding financial institutions that they needed to ensure the security of:
- Software applications they develop and manage in-house;
- Those that are developed and managed by third-party service providers.
The pressure to secure personal and financial data is gaining prominence, says James McGovern, Chief Enterprise Architect, The Hartford Financial Services Group. "Security has always been considered as an add-on and an extra feature," McGovern says. But application security professionals are now focused in building security into their applications and products. "This is the gap that organizations are filling today."
As awareness of the changing security and threat environment grows, so will the job market for application security professionals, says Rolf von Roessing, International Vice President of ISACA and Executive Advisor to KPMG. "Growth is seen in the identity management and access control field, which is a reaction of the market to heightened security and new threats."
Application Security Roles
Within an organization, application security professionals generally play the roles of:
- Quality Assurance Tester
- External Penetration Tester
- Developer or Coder
- Security Architect
- Database Manager
- ERP Specialist
"Today, application security professionals want to embrace security," says Sergio Pedro, senior partner with PricewaterhouseCoopers. The key is to educate and train them in security best practices for having noted and trustworthy standards in place. Besides the standard security certifications such as Certified Information Systems Security Professional (CISSP) and vendor-specific certifications like Microsoft and Cisco, he recommends application security practitioners to get enrolled in specific education and certification programs such as:
- A full or part-time masters of science degree in system engineering and systems management, as offered by Carnegie Mellon University;
- The GIAC Secure Software Programmer (GSSP) Certification offered by SANS Institute;
- Application security training offered by Security Compass, an application security consulting company based in New Jersey.
"If programmers learn more about application security and hold the required credentials, it makes it easier on everyone involved to prioritize application security, he says.
The career path for application security professionals is still not very structured, say experts. Most practitioners specialize in traditional and technical infrastructure, financial, ERP or IT systems and business processing systems specific to industry. Professionals can grow to become a leader in application security, heading different teams and departments.
The 6 Key Skills
The primary application security skills that senior leaders look for include-
- A Specialist in the Application: with the ability to thoroughly understand the environment, platform and the language of the application. "It is easier to teach practitioners how to code securely rather than teach them to be a good developer," says Pedro.
- Understand Business Ramifications: Professionals should have a thorough understanding of what the application does for the business and what the security criticality is re: the business process. Example: a banking front-office system, for which an application security person should understand what the bank does and what the exposures are that might result from a security breach.
- Think Like a Hacker: Application security practitioners need to develop a mindset of a criminal hacker, says McGovern, to foresee changes and learn creative ways to attack the software and recommend appropriate actions. Professionals need to have equal and balanced passion for building software, as well as breaking software, with an ability to think both abstractly in terms of concepts, but also able to produce details when needed.
- Understand the Threat Landscape: How do security breaches manifest themselves in- a) the application, and b) typical patterns and tracks? For instance, in a front office banking system, the application security person would have to understand if a transaction shows signs of circumventing segregation of duties, or signs of a collusion attack by two authorized users.
- Know Regulatory Compliance: Understand what the compliance and governance requirements are and how to make them work inside the application security concepts, says McGovern. Professionals need to be very familiar with how government regulations and industry standards such as HIPPA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley Act), GLBA (Gramm-Leach-Bliley Act), and PCI DSS (Payment Card Industry Data Security Standard) impact the implementation and security of an application and system.
- Good Social Skills: "Be able to gain buy-in from the development community and move in a way they become your ally, while also getting them to understand there is more work ahead," says McGovern. Application developers need to be business savvy and in a position to justify and explain to business process owners the vulnerabilities and the risk process entailed in application security.
Where are the Jobs?
Significant demand for qualified application security professionals is beginning to grow in healthcare. "I would say that the healthcare sector has been more focused recently in acquiring application security talent due to HIPPA and HITECH regulations," says Pedro.
The financial sector and government agencies have essentially maintained demand for these services.
The jobs in these sectors are still traditionally in:
- Major ERP / financial applications, i.e. SAP, Oracle;
- Industry-specific de facto standard applications;
- Web-facing, Web 2.0 technologies.
Many application security professionals have taken the consulting route. "The consulting rate for this role is always in the $200 to $300 an hour range, making it incredibly difficult to retain true top talent at traditional salary levels," says McGovern. "The challenge is that many enterprises don't have stellar reward systems for those who are on the expense side of the equation, and only consulting is the remedy for those organizations that haven't figured out the solution."
Recommended Reading: 6 Tips for Application Security Practitioners