How to Kickstart a Career in Application Security

OWASP NYC (Photo credit: dailylifeofmojo)

A friend and fellow geek recently reached out for some career advice. He’s currently working as an app developer, and he was wondering what steps he could take to steer his career more toward application security.

Since I’m a geek with a degree in music education now working as an information security consultant who also teaches infosec classes all over the world, he thought I might have a tip or two I could share.

Turns out, he was right. 😉

I’ll tell you the first thing I told him: Check out my blog post on how to land a job in information security. While the post isn’t specific to app developers, it does contain some foundational knowledge for anyone debating a move. (Considering how starved the industry is for full-time infosec professionals, I’d appreciate it if you could share that post with anyone you might know who might be interested.)

The next thing I told him was that he should start attending the local OWASP chapter meeting. If you want a career in application security, you need to talk to other security-minded developers, find out what they’re doing in their day-to-day work. Side note: if your city doesn’t have a local OWASP chapter, start one.

I also told him to download some free appsec tools like Burp Suite or Samurai WTF and just start playing around. Another tool I use frequently is OWASP Mantra, a tricked-out version of Firefox that gives you an incredible amount of control over (and ability to interact with) web applications and the infrastructure they reside on.

There are also a TON of hackable practice apps available for you to practice on, including:

If you’re interested in the appsec tool space, NIST’s SAMATE site has an extensive list tools, broken down by a taxonomy designed to help you find the right tool(s) for your organization . I dig this list because it includes source code security analysis tools as well as web application vulnerability scanners.

Running tools is one thing, but developers who are familiar with the OWASP Testing Guide can dive so much deeper than those who react to only the vulnerabilities that an automated scanner identifies. If you want to test your application security skills, pick a site (that you’ve been authorized to test) and walk through the entire testing guide. Eye-opening…

I also sent him a copy of a presentation I’ve been working on for integrating application security into the software development lifecycle (SDLC). As of this writing, I haven’t posted the presentation to my SlideShare account, but feel free to drop me a line if you want a copy.

If you’re hungry for more application security knowledge, you can also hit up your local library for a few excellent books, including:

Finally, I told him he should ultimately apply that book and lab knowledge toward some real world work. Growing security companies (like the one I work for) are always on the lookout for security talent, and the sooner he (and you) can join in the fight to help these companies secure their web apps, the better.

Your planet needs you. Would you like to know more?

Enhanced by Zemanta

How Much Does and Infosec Pro Make, Anyway?

Money (Photo credit: 401(K) 2013)

First things first: if the only reason you’re considering a career in infosec is the money, maybe infosec isn’t the right career choice for you.

Information security professionals are a passionate lot. If you don’t believe me, attend any infosec convention (Black Hat, DEFCON, ShmooCon, GrrCON, CanSecWest, DerbyCon… the list goes on and on) and attend a talk from someone who’s worked in the trenches for a few years. Better yet, strike up a hallway conversation with another con attendee. You’ll find out exactly how passionate infosec pros are about their jobs in no time.


Information security is a challenging, sometimes frustrating, often times thankless job. However, information security plays a critical role in the global economy, protecting the systems and networks that form the foundation of the Internet, not to mention the systems inside each organization’s network perimeter. The need for information security professionals continues to rise, with a projected 10-year job growth of 23%. This increase has resulted in a dramatically low unemployment rate for information security professionals.

In a field where the demand for qualified professionals is greater than the supply, salaries tend to be very competitive.


According to, here are the median annual salaries (U.S. National Averages) for a few different information security job roles:

  • Data Security Analyst: $74,334 (up to $95,220)
  • Data Security Analyst Senior: $92,317 (up to $113,790)
  • Data Security Manager: $108,982 (up to $136,758)
  • Information Security Director: $143,107 (up to $177,126)
  • Chief Information Security Officer: $168,545 (up to $238,099)


These are attractive salaries, to be sure, but don’t fool yourself into thinking they’ll come easy. These salaries come with experience, dedication, and hard work. Once you decide that you’re ready to pursue a career in information security, the next step is to learn the tools of the trade, and ultimately submit your infosec job application.

Happy job hunting!





Enhanced by Zemanta

How to Land a Job in Information Security

Information Security Wordle: FFIEC IT Examiner...
Information Security Wordle: FFIEC IT Examiner’s Handbook (Photo credit: purpleslog)

In July of 2011, the unemployment rate reported by information security analysts was a striking 0%. Not only were information security analysts reporting steady employment, they even reported an increase of 6,000 jobs between the first and second quarter of the same year. Two and a half years later, the Pentagon announced that it planned to add thousands of jobs of new cybersecurity jobs.

Sounds like a great time to be employed in the field of information security, doesn’t it?

Understand this: a career as an information security professional isn’t easy. Aspiring infosec professionals struggle to break in to the industry, unsure of what skills they need or how to attain those skills. The lucky few who do break into the industry find themselves in fast-paced, constantly changing industry, where the quest for knowledge is constant, as is the need to sharpen your skills.

It’s a busy, active, frequently stressful career, and most information security professionals wouldn’t change it for the world.

But how does someone outside of the field land a job in information security?

First and foremost, aspiring information security professionals need to understand and be able to explain the foundational concepts of information security. When you find yourself in a job interview with a security manager, you’ll need to be able to explain the CIA triad, the concept of defense-in-depth, and the step-by-step process that you would follow if you were tasked with securing a system or application.

Once you have a solid grasp of basic information security concepts, you need to know which information security job is right for you. Infosec professionals aren’t all cut from the same cloth. Some want to be heads down technicians, hacking away at target systems and finding ways around existing controls. Others want to spend their time writing policies and procedures, ensuring that the security of their organization is sustained through consistent, repeatable procedures. Other information security professionals want to interact with people on the business side of the organization, identifying security requirements and making the case for information security controls when the value of those controls isn’t readily apparent to non-security employees.

A job applicant with a basic understanding of information security frameworks and standards will send a clear message to the hiring manager that he or she understands what external compliance requirements will impact a retail organization versus a home healthcare provider. That same hiring manager is likely to be impressed by a job applicant who comes to the interview already speaking the organization’s internal security language.

For the more technically-oriented positions, job applicants will be expected to demonstrate a hands-on understanding of some of the more common information security tools. If a hiring manager asks you about Nmap, Wireshark, or BackTrack Linux, and you respond with a blank stare, that hiring manager is going to wonder how serious you are about the job.

Finally, an aspiring information security professional who already has one or more industry certifications will have a much easier time getting through the HR screening process and making it to the interview with the hiring manager. While a certification doesn’t automatically make you a security professional, it does send a message that you’ve studied the material and that you’ve retained an understanding of what you studied. More importantly, when you want to make the move to a senior level information security role, the right certifications speak volumes.

When you feel you’re ready to begin applying for information security jobs, visit the job board to see what jobs are currently available in each state. Narrow down your search to positions that fit your interests and your personality, and then submit your application.

Good luck!

Enhanced by Zemanta