How to Hire an Application Security Engineer
The Importance of Application Security
Embedding application security within the software development lifecycle (SDLC) is such a hot topic in the tech media precisely because so many organizations have been really bad at it. The Capital One breach in 2019? SolarWinds hack in 2020? The Colonial Pipeline and JBS beef supplier ransomware attacks of 2021? And who can forget Log4Shell? …the list goes on.
The takeaway here though, is that these are not “point in time” issues, they are long living as organizations struggle to address the problems - as is highlighted in the September 2020 article Security Boulevard that talks about instances of HeartBleed still being “in production,” even though the CVE is from 2014.
Now, within any sizable software development team today, the individual whose responsibility is securing the SDLC, is the application security engineer, or AppSec, engineer.
What is the Role of an Application Security Engineer?
If you check a job description for an application security engineer, it’s going to outline the role as:
- Ensuring security principles are followed throughout the SDLC process
- Carry out application security testing; and reviewing code prior to release.
- Ensuring security and compliance policies are followed.
However, because application security engineers don’t have the code context needed to make the changes themselves, policy issues and SLAs can often become the focus and cause frustration and finger-pointing between the application security engineers and developers.
Collaboration is the Key to AppSec Success
What sometimes gets obscured in the definition of the application security role is that these tasks can’t be carried out in isolation–there are very human aspects to the job. AppSec processes today necessitate tight collaboration with development and DevOps team members. Continuous learning and mentoring more junior (or less “secure-coding aware”) staff are keys to success in the role, as is providing input for continuous process improvement.
These priorities may outline a straightforward and understandably important position within a software development organization, but the context of where application security engineers fit in the SDLC process has changed dramatically in recent years.
How to Scale the Impact of Your Application Security Engineers
The nature of modern software development is that software innovations happen largely in the cloud via DevOps pipeline managers such as GitHub, GitLab, Jenkins and others, with team communication largely occurring through ticketing and communications systems such as Jira and Slack. Because security tools are integrated into the pipeline and generate large volumes of alerts that need to be correlated with applications and infrastructure, and communicated to teams over Jira or Slack, the sheer volume of issues to run down can easily get overwhelming.
Asking an application security engineer to constantly oversee all these streams to monitor for security best practices or possible vulnerabilities such as input validation, or exposed XSS or secrets in the application code would be analogous to asking someone to drink from a firehose. Wouldn’t it make more sense to have a centralized platform that integrated all these streams? One with existing issue tracking tools and core security systems for threat intelligence, modeling and security databases, such as those provided by NIST, and commercial solutions and internal knowledge bases?
If you’re hiring for an open AppSec position, you will quickly see that it has become increasingly difficult to find candidates at the nexus of all the technologies and systems, who are comfortable managing the overall AppSec processes. This is where an ASPM platform enables application security teams to scale their ability to successfully identify, remediate, and prevent high-priority application-level security, vulnerability and continuous compliance issues, as well as identify and eliminate coverage gaps.
Application Security Posture Management (ASPM) is a comprehensive framework that combines holistic visibility into security posture, risk-based prioritization, workflow automation, and unified data and analytics to implement, manage, measure, and mature a secure software development lifecycle. ASPM unifies security findings across scanning tools to create visibility into application risk and coordinates the people, process, and technology requirements needed to develop, deploy, and maintain secure applications.
ASPM platforms ingest and process findings from security testing and scanning tools across the DevSecOps pipeline and present prioritized findings and remediation recommendations. Tasks and workflows are automated, managed, and measured through SLAs between security, development, and operations teams, while enabling developers to fix issues fast and effectively without highly specialized training and skills.
Leveraging the Existing Security and Development Team
Since finding application security engineers is like trying to find gas for under $5 in California, it is important to look at your existing security and development teams and identify team members who might be good candidates for the AppSec role.
ASPM platforms automate critical security processes to the point where they can be executed by those who are not ‘application security experts’. Do you need AppSec engineers skilled in core application security practices? Absolutely you do. But by automating a wide range of AppSec operations and workflows, an ASPM platform accommodates a wider range of skill sets.
It enables traditional security engineers to immediately get up to speed on adopting AppSec best practices, and aids developers to understand security issues within the context of their code - ultimately enabling them to become Security Champions. And it fosters a collaborative environment where these groups can work together as one team.
Much like with low-code approaches to DevOps, ASPM is a force multiplier that enables developer teams to ship secure, compliant code faster than ever before.
Learn more about ArmorCode
Schedule a demo today and learn more about how ArmorCode can help you mature and scale your AppSec program.