cybersecurity, black iphone with padlock showing

Article by Meera Rao, Senior Director of Product Management, Synopsys Software Integrity Group

I was a software developer and continuous integration practitioner for over 20 years before I accidentally was thrown into the security field.

When I initially joined this field, I had no clue about anything related to security, and was quite nervous when talking to my own colleagues let alone speaking to clients or at conferences, as I do now. Being able to speak intelligently about the field and sharing my knowledge at conferences helped me a lot in my career in the security field. Having a solid understanding of software development, end to end knowledge of the software development life cycle, and a deep understanding of software architectures was instrumental to my success in the security field.

From data breaches, to open source security issues, IoT devices vulnerable to cyber-attacks, and unsecured servers, we have seen it all and continue observing these security issues pop up almost every day. So, how can you be part of an industry which has a severe talent deficit, make a positive impact, grow your career, and be well compensated?

In all honesty, having advanced degrees in information security is not necessary to be a leader in this industry, and I am the prime example of this fact. Let me walk you through the job requirements for some of the latest AppSec focus areas, and offer some guidance around how to contribute and be part of the latest trends in the industry:

Cloud Security Practitioner: Cloud is the talk of the town these days. Every organization (big or small) wants to move to cloud. To work as a cloud security practitioner, you need to have experience in building, communicating, and managing cloud environments. You also need to have managed migration to the cloud, delivered a cloud native project, led and/or delivered cloud automation, and have a working knowledge of Amazon Web Services, Microsoft Azure, and Google Cloud platforms. Knowledge of RedHat / OpenStack would also be highly valuable.

DevSecOps Engineer: Who hasn’t heard of these industry buzz words: DevOps, DevSecOps, SecDevOps? If you are interested in being part of a great DevSecOps team as a DevSecOps engineer, then you should gain experience in containerization technology—preferably Docker and Kubernetes, have written enterprise Java applications using the JEE technology stack, have deep knowledge of build automation using tools like Jenkins, Bamboo, release automation (e.g., Jenkins, Puppet, etc.) and experience using scripting languages (e.g., Ruby, Python, etc.).

Security Champion: Security Champions are software developers. They allow for application security development and architecture to provide the first level of defense when it comes to providing application security guidance to development teams. If you are part of a development team, have good communication skills, and are curious to know more about security, you can be a security champion candidate.

The following roles require that you have a solid understanding of application architectures, frameworks, threat landscape, and some security background.

Threat Modeling SME: Threat modeling identifies the types of threat agents that cause harm and adopts the perspective of malicious hackers to see how much damage can be done to a system. Threat modeling subject matter expertise would require you to review the system’s major software components, security controls, assets, and trust boundaries, and then model those threats against existing countermeasures. You would then need to evaluate the potential outcomes.

Threat modeling requires an experienced security architect with knowledge in three fundamental areas: architecture and design patterns, enterprise application technologies, and security controls and best practices. Performing threat modeling is a difficult and an expensive undertaking for most organizations. Finding skilled resources is oftentimes a challenge.

Security Consultant: Do you like traveling (a requirement under traditional circumstances)? How about working within different industry verticals such as multinational media corporations, healthcare companies, financial institutions, pharmaceutical companies, and so on? Do you like the idea of parachuting in wherever software insecurity invades and work to stomp out bugs and flaws wherever they hide? Then you would enjoy life as a security consultant. In this role you will be able to perform source code analysis, software penetration testing, secure software design and architecture, and will become an indispensable advisor to customers.

I want to leave you with a final word. What I’ve shared with you today presents a teaser of all the exciting career options you can have in the AppSec industry. However, the key to being successful is constantly learning about new attacks, threats, and above all, helping customers exterminate bugs and untangle the flaws that make their systems insecure.