A different take, I moved from product development into Cybersecurity Application Security and it enhanced my entire mindset around application development and building products.
It brought things to top of mind while I code that were lesser on the totem pole when in AppDev. I do not mean secure coding and remediating vulnerabilities but more holistic around building a product; security requirements, patterns, practices, etc.
1) if possible, do a rotation in Cybersecurity; specifically Application Security. This somewhat depends on what AppSec does at your company.
2) If your company has a security champion program, check that out.
To add, I am hiring individuals with a background like yours. Here is a role I have open that may give you some background on what I look for in AppSec engineers.
You have a good set of skills which is your software engineering background depending what type of AppSec role you are looking for. My background is very similar to yours.
It is the same way I entered the space to start building application security testing tooling automation into software delivery pipelines, shift left, if you like buzzwords, and learned (still am...) security along the way.
My best piece of advice for you is to be an advocate for application security on your team or in your area if possible. I am not sure the size of your company but if a Security Champion Program exists, that is a great way to get involved and start learning. Understanding risk management is another I would stress, as at the end of the day, you manage risk.
Here are questions to think about. Some may not be feasible depending how your company is setup to handle them but I will share for awareness.
- Do you threat model your application/s and/or new features?
- Do you consider security requirements when you are grooming features/stories? How would you help a team define them?
- Do you compose a SECURITY.md file in your codebase that takes about security requirements, mechanisms, implications, etc..?
- When you do code reviews, are you eyeing for security bugs? e.g., missing input validation/sanitization, broken authentication, etc...
- Are you automating security testing tooling (SAST, SCA) in your software delivery pipeline?
- Do you evaluate the OSS your application/s use with an SCA tool? (Be prepared for a lot of "false alarms", but the experience of triaging a CVE and understanding if risk of exposure exists is a good exercise).
I could probably add more but then we are going down a rabbit hole.
A different take, I moved from product development into Cybersecurity Application Security and it enhanced my entire mindset around application development and building products.
It brought things to top of mind while I code that were lesser on the totem pole when in AppDev. I do not mean secure coding and remediating vulnerabilities but more holistic around building a product; security requirements, patterns, practices, etc.
1) if possible, do a rotation in Cybersecurity; specifically Application Security. This somewhat depends on what AppSec does at your company.
2) If your company has a security champion program, check that out.