A friend and fellow geek recently reached out for some career advice. He’s currently working as an app developer, and he was wondering what steps he could take to steer his career more toward application security.
Since I’m a geek with a degree in music education who now works as an information security consultant who also teaches infosec classes all over the world, he thought I might have a tip or two I could share.
Turns out, he was right. 😉
I’ll tell you the first thing I told him: Check out my blog post on how to land a job in information security. While the post isn’t specific to app developers, it does contain some foundational knowledge for anyone debating a move. (Considering how starved the industry is for full-time infosec professionals, I’d appreciate it if you could share that post with anyone you might know who might be interested.)
The next thing I told him was that he should start attending the local OWASP chapter meeting. If you want a career in appsec, you need to talk to other security-minded developers, find out what they’re doing in their day-to-day work. Side note: if your city doesn’t have a local OWASP chapter, start one.
If you’re interested in the appsec tool space, NIST’s SAMATE site has an extensive list tools, broken down by a taxonomy designed to help you find the right tool(s) for your organization . I dig this list because it includes source code security analysis tools as well as web application vulnerability scanners.
Running tools is one thing, but developers who are familiar with the OWASP Testing Guide can dive so much deeper than those who react to only the vulnerabilities that an automated scanner identifies.
I also sent him a copy of a presentation I’ve been working on for integrating application security into the SDLC. As of this writing, I haven’t posted the presentation to my SlideShare account, but feel free to drop me a line if you want a copy.
Finally, I told him he should ultimately apply that book and lab knowledge toward some real world work. Growing security companies (like the one I work for) are always on the lookout for security talent, and the sooner he (and you) can join in the fight to help these companies secure their web apps, the better.
Your planet needs you. Would you like to know more?