HackerTrans
TopNewTrendsCommentsPastAskShowJobs

aegis1k

no profile record

comments

aegis1k
·5 anni fa·discuss
Lots of good commentary in this thread.

A different take, I moved from product development into Cybersecurity Application Security and it enhanced my entire mindset around application development and building products.

It brought things to top of mind while I code that were lesser on the totem pole when in AppDev. I do not mean secure coding and remediating vulnerabilities but more holistic around building a product; security requirements, patterns, practices, etc.

1) if possible, do a rotation in Cybersecurity; specifically Application Security. This somewhat depends on what AppSec does at your company.

2) If your company has a security champion program, check that out.
aegis1k
·5 anni fa·discuss
To add, I am hiring individuals with a background like yours. Here is a role I have open that may give you some background on what I look for in AppSec engineers.

https://jobs.discover.com/job/12614460/principal-cybersecuri...

You will see a variance in roles in AppSec, for example

1) DevSecOps; build automation, shift left, etc...

2) Run security testing tooling and provide reports; "old school" approach to AppSec.
aegis1k
·5 anni fa·discuss
You have a good set of skills which is your software engineering background depending what type of AppSec role you are looking for. My background is very similar to yours.

It is the same way I entered the space to start building application security testing tooling automation into software delivery pipelines, shift left, if you like buzzwords, and learned (still am...) security along the way.

My best piece of advice for you is to be an advocate for application security on your team or in your area if possible. I am not sure the size of your company but if a Security Champion Program exists, that is a great way to get involved and start learning. Understanding risk management is another I would stress, as at the end of the day, you manage risk.

Here are questions to think about. Some may not be feasible depending how your company is setup to handle them but I will share for awareness.

- Do you threat model your application/s and/or new features?

- Do you consider security requirements when you are grooming features/stories? How would you help a team define them?

- Do you compose a SECURITY.md file in your codebase that takes about security requirements, mechanisms, implications, etc..?

- When you do code reviews, are you eyeing for security bugs? e.g., missing input validation/sanitization, broken authentication, etc...

- Are you automating security testing tooling (SAST, SCA) in your software delivery pipeline?

- Do you evaluate the OSS your application/s use with an SCA tool? (Be prepared for a lot of "false alarms", but the experience of triaging a CVE and understanding if risk of exposure exists is a good exercise).

I could probably add more but then we are going down a rabbit hole.

References

SAST = static application security testing

SCA = source composition analysis

Relevant links for learning

- Understanding OWASP Top 10 is table stakes

- MITRE ATT&CK Framework

- OWASP Web Security Testing Guide (https://owasp.org/www-project-web-security-testing-guide/)

- OWASP Application Security Verification Standard (https://owasp.org/www-project-application-security-verificat...)

- OWASP Software Component Verification Standard https://owasp-scvs.gitbook.io/scvs/

- OWASP Threat Modeling Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeli...

- https://github.com/devsecops/awesome-devsecops