Web application security: Building a career path

Well, first off I would like to say that there is really no certification that will help you build a career in this field. Most of the people that I know barely look at certifications and even if they do it does not add much value in their decision on hiring. So then that lends the question what does help you advance your career in the field?

Career advice and news: Application security the goal of initiatives from SANS and SPI Dynamics Beginning a Java security career Mix of IT, business skills pay off for IT workers

Besides the common advice of reading good books and actually DOING what the book says. (This is extremely important: Don't just read a book, implement it.) My advice is that you need to know how to program in some language fairly efficiently. I really should not have to say that but in this day and age it's amazing the kind of people who pass themselves off as "application security experts."

Then find a niche and get really good at it. For instance, you might focus on application security specifically on Oracle application server or Ruby on Rails or new technologies like Silverlight or Adobe Apollo. Then once you become that expert, start talking about it. Post on mailing lists. Write white papers. Speak at security conferences. At this point the jobs come to you. Prove your expertise and experience and that you're not just another 'security expert' and you won't be asking how to build a career in appsec -- you will have already done it.

Let's move on to certifications. Don't look at certifications as validation that you know something. Rather, view them as a method of learning. In this case SPI Dynamics has a great class on Web app security and SANS is very well known for having good classes (see related article in top sidebar.) In fact, I know the guys that teach the SANS Web application security class and they are great guys. I highly recommend it.

Free app security book excerpts: Input Validation Attacks -- Hacking Exposed Web Applications, Second Edition, by Joel Scambray, Mike Shema and Caleb Sima Architectural Risk Analysis -- Software Security: Building Security In, by Gary McGraw

Your first step, of course, is to pick up some books. I recently came out with a book Hacking Exposed Web Applications, Second Edition (see lower sidebar to download a chapter for free) and I would also suggest picking up any book by Gary McGraw, David Leblanc and John Viega. By the time you finish 2-3 of their books you should be overloaded with knowledge of development security mistakes.

Good luck and let me know if you have any other questions.