Web application security: Building a career path

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Beating software's cross-site scripting, authentication problems Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? How do I set up a secure login page using membership in ASP.NET? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both? Hiring, mentoring and training for software projects Is your software test team rigorously incompetent? Advice on how to enter the software technology field Optimizing project management using text messaging, IMs, and Skype How to get a software testing job in a recession Does Microsoft offer an international testing certification? How to handle IT project management in a recession How teams transition to agile development methodologies Do security certifications really matter? Yes, really Cutting staff for a more agile software development team Software development lifecycle (SDLC) trends 2009: Requirements, agile

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Project Management Professional (PMP)  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Well, first off I would like to say that there is really no certification that will help you build a career in this field. Most of the people that I know barely look at certifications and even if they do it does not add much value in their decision on hiring. So then that lends the question what does help you advance your career in the field?

Career advice and news: Application security the goal of initiatives from SANS and SPI Dynamics Beginning a Java security career Mix of IT, business skills pay off for IT workers

Besides the common advice of reading good books and actually DOING what the book says. (This is extremely important: Don't just read a book, implement it.) My advice is that you need to know how to program in some language fairly efficiently. I really should not have to say that but in this day and age it's amazing the kind of people who pass themselves off as "application security experts."

Then find a niche and get really good at it. For instance, you might focus on application security specifically on Oracle application server or Ruby on Rails or new technologies like Silverlight or Adobe Apollo. Then once you become that expert, start talking about it. Post on mailing lists. Write white papers. Speak at security conferences. At this point the jobs come to you. Prove your expertise and experience and that you're not just another 'security expert' and you won't be asking how to build a career in appsec -- you will have already done it.

Let's move on to certifications. Don't look at certifications as validation that you know something. Rather, view them as a method of learning. In this case SPI Dynamics has a great class on Web app security and SANS is very well known for having good classes (see related article in top sidebar.) In fact, I know the guys that teach the SANS Web application security class and they are great guys. I highly recommend it.

Free app security book excerpts: Input Validation Attacks -- Hacking Exposed Web Applications, Second Edition, by Joel Scambray, Mike Shema and Caleb Sima Architectural Risk Analysis -- Software Security: Building Security In, by Gary McGraw

Your first step, of course, is to pick up some books. I recently came out with a book Hacking Exposed Web Applications, Second Edition (see lower sidebar to download a chapter for free) and I would also suggest picking up any book by Gary McGraw, David Leblanc and John Viega. By the time you finish 2-3 of their books you should be overloaded with knowledge of development security mistakes.

Good luck and let me know if you have any other questions.