Professional development

Application security: Is AppSec the right career for you?

Kimberly Doyle
October 19, 2021 by
Kimberly Doyle

The world is increasingly digital — particularly with today’s remote work and remote learning landscape. Enhancing security in the applications that we have all come to rely on every day has never been more important. As such, we are now seeing tremendous growth in the field of application security (AppSec), or the process of finding, fixing and enriching the security of apps to protect an organization’s data. 

The cybersecurity specialists who carry out this work hold the job of an AppSec professional.  

Proactively managing software risk is a big job and the career opportunities in this growing field are widespread. Virtually any business that makes software or uses it requires the skills of AppSec engineers, managers, analysts, consultants and numerous other role titles.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

“It used to be that you could draw really clean lines around what an application is,” says Sam King, CEO of Veracode. “Now we use API’s, opensource code, containers, infrastructure as code, configurations. … Today, it’s about bringing security to software in whatever form it presents and making it easy for developers to use — but not forgetting about the needs of a security team either.”

What is AppSec?

An organization’s software usually comes from a variety of sources: vendors, internal development teams and even partners. AppSec is meant to secure it all. It can do so during the software development phase, but it is also required as an ongoing effort. To do their work, AppSec pros have numerous tools at their disposal to identify and remediate vulnerabilities.

Gartner defines this as the Application Security Testing (AST) market. It’s buyers and sellers of products and services designed to analyze and test applications for security vulnerabilities, and it’s estimated to be a $3.7 billion industry with 12 percent growth forecasted in 2021.

Part of the industry’s growth is attributed to the rise in popularity of DevOps, or a combination of the terms development and operations. It’s meant to represent a collaborative or shared approach to the tasks performed by a company's application development and IT operations teams. The goal of DevOps is stronger alignment and cohesion between developers and systems administrators. And now, with security, DevSecOps.

“DevOps was gaining momentum because dev organizations realized the need for efficiency and better operations of code when it runs in production,” King said. “They wanted to break down silos and therein was an opportunity for the security team to say, if we’re going to change our practices around how we develop and deploy code, then why don’t we also include security as part of those new practices?”

What does an AppSec pro do?

To boost security and protect data, AppSec engineers work in partnership with developers, IT and others to set security policies for applications and build proactive programs that address the entire software lifecycle — from development to end of life. They also measure program results and report on progress, often supporting an organization’s Chief Information Security Officer (CISO).

Because software is never really finished — it’s almost always on a regular update schedule and deployments are continuous — it’s important for security to be both a development consideration and an ongoing priority. For the day-to-day tasks of AppSec pros, that often means the implementation of frequent vulnerability tests.

There are four broad types of application security tests:

Testing is an important strategy for achieving the goal King outlines: the protection of any line of code that is used for a critical process or that will transact critical data.

What does it take to work in AppSec?

AppSec roles are available at every level, from beginner to more advanced for those that already have strong cyber experience and are looking to make a change. For anyone interested in AppSec, being able to demonstrate your technical skills is important.

You might start with a few of these training options or certifications:

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

For King, it’s also about how you do what you do, including hot topic areas like communication, collaboration, out-of-the-box thinking and how you handle challenges. 

“Show your growth mindset and have a willingness to learn,” she says. “There are so many opportunities in this sector.”

To learn more about what it takes to work in AppSec, watch our Cyber Work Podcast, Building a billion-dollar cybersecurity company with Sam King.



Kimberly Doyle
Kimberly Doyle

Kimberly Doyle is principal at Kimberly Communications. An award-winning corporate communicator and content strategist, she has focused on enterprise technology for more than a decade. Her consultancy has led her to support in-house corporate communications teams for numerous technology goals including cybersecurity, SaaS and cloud management, data exchange, enterprise pricing and business analytics.