Web Application Security
A Hot Information Security Skill Set for 2010
For the past few years, one of the hottest information security job skill sets has been web application security. Rolling into 2010, demand for web application security and secure software development (SDLC) skills continues at SecurityRecruiter.com. Employers typically look for two different kinds of web application security professionals.
Former Software Engineers / Former Application Developers
Web Application Security skilled candidates who come from an application development / software engineering background are in high demand. What is typically expected of these candidates is a background in C, C++, JAVA development or a background in Windows development from a Microsoft shop that sits beneath an application security skill set.
Here is a picture of a recent set of client requirements from SecurityRecruiter.com that demonstrates the skills a global employer running a UNIX / Linux, C++, Java enterprise environment required of a Web Application Security candidate:
Here is an example of a financial services employer’s need for a web application security professional in a Microsoft Windows environment:
Here is another example of a Secure Software Development / Web Application Security set of requirements delivered to SecurityRecruiter.com in 2009:
These three examples show needs for former software engineers / application developers who have ventured into the world of web application security.
Application Security Jobs without a Programming Background
Another profile employers sometimes appreciate is that of an application security professional who has not formerly been a programmer or software engineer. Application Security professionals in this category typically come from a security audit or network security background and are skilled reading C, C++ and/or Java code and understanding web application security vulnerabilities. These professionals will be skilled with automated application security software such as Fortify, Ounce Labs, AppScan, etc.
A recent client requirement for a non-programmer background to do web application security assessment work read like this:
Certification and Training for Web Application Security Professionals
At SecurityRecruiter.com, we saw our first Application Security titled search back in the 2002 timeframe. The search came from an enterprise financial services company and proved to be next to impossible to fill at the time.
Security training and certification bodies have begun to address web application security with training and certification opportunities such as these:
EC-Council, E|CSP, Certified Secure Programmer (Free introductory training through SecurityRecruiter.com)
ISC2, CSSLP, Certified Secure Software Lifecycle Professional
SANS, GIAC Secure Software Programmer - .Net (GSSP-NET)
SANS, GIAC Secure Software Programmer - Java (GSSP-JAVA)
Regardless of whether a security professional has a programming background or not, certification in this skill domain is highly recommended. Until these certifications and training opportunities were recently developed, there were no efficient ways for recruiters to determine whether a security professional had expertise in the realm of application security or not. Making this determination was a long drawn-out process and to some extent still is today.
As companies find more and more ways to leverage the Internet to do business, there will continue to be need for secure software development and web application security professionals to guide development teams to develop web-facing applications with security in mind.
Jeff Snyder is the President of SecurityRecruiter.com, an executive search firm highly specialized in filling security jobs. SecurityRecruiter.com has been filling security jobs since the mid-1990s in the US, Canada and abroad. Through the Security Recruiter Blog, SecurityRecruiter.com provides weekly security job updates, security resume writing advice and security career information. Free Security Training is offered in partnership with EC-Council