Home > Ask the Software Quality Experts > Application Security Questions & Answers > Web application security: Building a career path
Ask The Software Quality Expert: Questions & Answers
EMAIL THIS

Web application security: Building a career path

Caleb Sima EXPERT RESPONSE FROM: Caleb Sima

Pose a Question
Other Software Quality Categories
Meet all Software Quality Experts
Become an Expert for this site


Software quality news and advice
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


>
QUESTION POSED ON: 29 May 2007
I want to build a career along application and programming security. What certification would be of help?

>
EXPERT RESPONSE

Well, first off I would like to say that there is really no certification that will help you build a career in this field. Most of the people that I know barely look at certifications and even if they do it does not add much value in their decision on hiring. So then that lends the question what does help you advance your career in the field?
Career advice and news:
Application security the goal of initiatives from SANS and SPI Dynamics

Beginning a Java security career

Mix of IT, business skills pay off for IT workers
Besides the common advice of reading good books and actually DOING what the book says. (This is extremely important: Don't just read a book, implement it.) My advice is that you need to know how to program in some language fairly efficiently. I really should not have to say that but in this day and age it's amazing the kind of people who pass themselves off as "application security experts."

Then find a niche and get really good at it. For instance, you might focus on application security specifically on Oracle application server or Ruby on Rails or new technologies like Silverlight or Adobe Apollo. Then once you become that expert, start talking about it. Post on mailing lists. Write white papers. Speak at security conferences. At this point the jobs come to you. Prove your expertise and experience and that you're not just another 'security expert' and you won't be asking how to build a career in appsec -- you will have already done it.

Let's move on to certifications. Don't look at certifications as validation that you know something. Rather, view them as a method of learning. In this case SPI Dynamics has a great class on Web app security and SANS is very well known for having good classes (see related article in top sidebar.) In fact, I know the guys that teach the SANS Web application security class and they are great guys. I highly recommend it.

Free app security book excerpts:
Input Validation Attacks -- Hacking Exposed Web Applications, Second Edition, by Joel Scambray, Mike Shema and Caleb Sima

Architectural Risk Analysis -- Software Security: Building Security In, by Gary McGraw

Your first step, of course, is to pick up some books. I recently came out with a book Hacking Exposed Web Applications, Second Edition (see lower sidebar to download a chapter for free) and I would also suggest picking up any book by Gary McGraw, David Leblanc and John Viega. By the time you finish 2-3 of their books you should be overloaded with knowledge of development security mistakes.

Good luck and let me know if you have any other questions.


Sound Off! -   Be the first to post a message to Sound Off!


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


RELATED CONTENT
Application Security
PCI DSS compliance: WAF, code review or both?
Application security careers have bright future
How to prevent anti-DNS pinning attacks
Open source application security testing tools
Java application security features and measures
Web application security testing basics
Password recovery with .NET 2.O using C#
Free load and performance testing tools
The most effective time to do security testing
Finding backdoor threats within applications

Hiring, mentoring and training for software projects
Application security careers have bright future
Trust on a global scale
Project managers cannot rely on generalizations
Readers speak out about U.S. IT labor shortage
Is there really an IT labor shortage in the U.S.?
How to deal with a difficult team member
The six hats of project management
Project management tools and strategies: Team building and managing basics
Time for colleges, managers to focus on software testing
What kind of person makes a good automated tester?

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Project Management Professional (PMP)  (SearchSoftwareQuality.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts