MAY 2023
Tech Corner
An Intro to Roles in Cyber Security:
Application Security Engineer: A Much
In Demand Critical Role
BY IQBAL SINGH
Introduction
Increasingly businesses are becoming software-based and data-driven, so much so
that almost every business uses some form of software and relies on data to make
smart facts based decisions. From simple applications to advanced business tools,
every company is slowly becoming a software and a data company.
The Concept of Defence in Depth
31
� MAY 2023
Just as in the military the defences are laid out in a tiered and multi-layered fashion
similarly in the cyber world the defences are laid in layers as illustrated in the above
figure. Each layer needs to be protected and each layer demands a specific set of
skills. Application layer is the second last layer in the tier. It denotes an extremely
critical part of the cyber security architecture. An Application Security engineer is the
one who protects this tier of defence. While security across all layers is important,
Forrester’s 2020 State of Application Security Report revealed that the application
layer is the most vulnerable to external attacks. They also cited open-source software
as the chief concern for application security. The threat of application security
outweighs the efforts currently being expended to curb it. Understanding why
software application security is important centres on being aware of some of the
vulnerabilities that leave your application open to attacks. For one, integrating open
source code and APIs increases the opportunities for vulnerabilities as applications
rely on traffic from these APIs and malicious files could pass through unfiltered. Also,
your application’s code is written by software developers who are after all humans not
beyond mistakes. These mistakes could be as evident as errors in a couple of lines of
code or it could be that the entire code base leaves loopholes that could be exploited
by an attacker. Vulnerabilities could also come from other aspects like weak
passwords. Websites and applications that allow weak passwords are more vulnerable
to bad actors than those that enforce strong ones. That’s why many sites have
standards for the types of passwords users are allowed to create.
Mandate of an Application Security Engineer:
An Application Security Engineer is responsible for ensuring the security of the
software applications developed by their organization. They analyze the software code
and design of the application to identify and mitigate any security vulnerabilities that
could be exploited by cybercriminals. Their role is critical as application vulnerabilities
are a common attack vector for hackers who want to gain unauthorized access to
sensitive information, cause damage to the system, or steal data.
A good way to explain what an Application Security engineer does is to understand
what they do NOT do. Application engineers are not software developers. Although
they know the full software development life cycle, the application security
engineering skill set does not include developing business applications. However,
much of their job is done during the business application’s development stage. They
work with software developers to set up security control measures during every stage
of software development. Their activities would include proper implementation and
configuration of security measures and controls to protect a company’s applications
such as authentication, encryption, and authorization and testing applications to
ensure they are free from security loopholes. They also use tools and techniques to
protect applications that have been deployed.
32
� MAY 2023
On a rolling basis, an Application Security engineer will implement the different types
of application security as listed below:
Authentication: Implementing systems that ensure that users are who they say
they are. The most basic form is a username and password, but more advanced
forms of authentication have been developed.
Authorization: This layer ensures that the user has permission to use the
application or the components they are trying to access. If they are, they can. If not,
their access is blocked.
Encryption: This prevents attackers as well as genuine users from accessing
information they are not authorized to see, especially with data in transit.
Logging: Application Security engineers set up monitoring to help identify culprits
in case of a data breach and to keep track of the application’s behaviour.
Application security testing This include specific tests that Application Security
engineers run to reveal application vulnerabilities.
Other common tasks that Application Security engineers undertake include:
Identifying security vulnerabilities and determining solutions to fix them.
Reviewing system services and noticing problems in applications.
Performing software updates.
Setting up firewalls.
Running encryption programs within applications.
Scanning and testing applications.
Application Security is an Exciting, Dynamic and In-Demand Skill
33
� MAY 2023
Application Security Engineering Roles and Responsibilities
Application security engineering roles and responsibilities span the entire software
development life cycle. The industry is extremely fast paced and the duties may
evolve, the following describes the basic core of what they do.
Setting Development Parameters: Application Security engineers set security
controls and design requirements during the software creation and development
stage of the software lifecycle. They also integrate these designs into the software.
Ensuring Security Across The Development Lifecycle: The application security
engineer ensures that security across all aspects of the software is uniform by
setting up checkpoints.
Testing Source Code and Running Code: There are multiple types of testing that
application security need to undertake and be proficient in.
Static Application Security Engineer Testing (SAST): The Application security
engineer engineer analyzes your application’s source code for vulnerabilities
before compiling and running them. This goes hand in hand with security
measures in the development stage to avoid security loopholes
Dynamic Application security engineer testing (DAST): Security depends on
software responding to inputs in a predetermined way. Dynamic testing
analyzes running code by running attack simulations and studying how the
application responds. These simulations often employ the same techniques
hackers use to break into applications and they reveal vulnerabilities that the
engineer can patch so the app remains secure in case of a real attack.
Interactive Testing: Combining the best parts of both static and dynamic
testing, interactive testing analyzes code when its functionality is being
engaged. In other words, it is analyzing code when a user is interacting with the
application.
Mobile Testing: In this, mobile apps are tested for their app functionality
(UI/UX, business flows), real environment conditions (gestures, network),
performance, accessibility, and availability.
Email Testing: Email testing is an essential part of any marketing,
transactional email campaigns. Application security engineer engineers make
sure that technical parameters of emails look right, have correct HTML, get the
highest deliverability, and each email protocol works properly.
34
� MAY 2023
Implementing Advanced Security Features: The Application security engineer
after testing applications, implements patches and utilizes shielding tools that
harden applications, making them less vulnerable to attacks. Some of these
processes include:
Runtime Application Self-Protection. A combination of testing and shielding
that protects applications from reverse engineering attacks. These tools also
monitor the application’s behaviour and can stop certain code/functions from
running and even terminate the application if the need be.
Code Obfuscation. This involves hiding your source code from hackers so it
can’t be attacked. Other methods involve encryption and using threat detection
tools.
Cyber Security is a Career Where You will be tested daily by your
adversaries and hence demands high skills
35
� MAY 2023
Skills Required to Succeed in the Role
To succeed as an Application Security Engineer, one needs to have a strong
foundation in computer science, software engineering, and cybersecurity. Some of the
essential skills required for this role include:
Programming Skills: A solid foundation in programming languages such as Java,
Python, C/C++, and others is a must. An Application Security Engineer should be
able to read and understand code, identify vulnerabilities, and write secure code.
Security Knowledge: A deep understanding of cybersecurity principles such as
threat modelling, secure coding practices, authentication, authorization,
cryptography, and network security is essential. An Application Security Engineer
must be up-to-date with the latest security threats, vulnerabilities, and attack
methods.
Communication Skills: Effective communication is critical in this role, as the
Application Security Engineer must be able to articulate the security risks and
solutions to developers, project managers, and senior management.
Analytical Skills: Analytical skills are essential for analyzing application code,
identifying vulnerabilities, and recommending solutions.
Testing Skills: An Application Security Engineer must have expertise in testing
techniques such as static analysis, dynamic analysis, and fuzz testing.
Learning Paths to a Career As an Application Security Engineer
There are various paths one can take to become an Application Security Engineer.
Some of the common paths include:
Computer Science or Software / Engineering Degree: Pursuing a degree in
Computer Science or Software Engineering is a great way to gain a strong
foundation in programming and software development. One can specialize in
cybersecurity by taking courses in cybersecurity, cryptography, and network
security. This is an ideal requirement. Having said that several successful
application security engineers do also come from non-computer science
background but they do the necessary upskilling on software programming
Cybersecurity Bootcamps: Cybersecurity bootcamps are intensive training
programs that can provide one with the knowledge and skills required to enter the
field of cybersecurity. These programs can cover topics such as cybersecurity
fundamentals, penetration testing, and secure coding practices. These can be
organized by training companies or by tech organizations themselves.
Certifications: As mentioned earlier several cyber security professionals come
from non computer science backgrounds. Relevant certifications provide a solid
grounding to them as well as lend their profiles credibility.
On-the-Job Training: Many organizations offer on-the-job training programs for
their employees to help them transition into cybersecurity roles. These programs
can include mentorship, shadowing experienced professionals, and hands-on
experience with real-world projects.
36
� MAY 2023
Certifications Required
Certifications can help validate one's knowledge and skills in the field of cybersecurity.
Some of the popular certifications for an Application Security Engineer include:
Certified Application Security Engineer (CASE): This certification offered by the
International Council of Electronic Commerce Consultants (EC-Council) is
designed to validate an individual's skills in identifying, mitigating, and preventing
application security vulnerabilities.
Certified Information Systems Security Professional (CISSP): This certification
offered by the International Information Systems Security Certification
Consortium (ISC)² is a globally recognized standard for cybersecurity
professionals.
Certified Secure Software Lifecycle Professional (CSSLP): This certification
offered by (ISC)² validates an individual's knowledge in the areas of secure software
design, development, and deployment.
A Typical day in the life of an Application Security Engineer
A typical day in the life of an Application Security Engineer can be varied and
challenging. Here is a brief overview of what one might expect:
Review Emails Prioritize Tasks: An Application Security Engineer typically starts
the day by reviewing emails and prioritizing tasks for the day. They may have
received requests from developers or project managers for security assessments,
code reviews, or recommendations for mitigating risks.
Conduct Security Assessments: One of the key responsibilities of an Application
Security Engineer is to conduct security assessments of software applications. They
may use tools such as static analysis, dynamic analysis, and fuzz testing to identify
vulnerabilities in the application code. They may also use manual testing
techniques to identify weaknesses that automated tools may miss.
Collaborate with Developers: An Application Security Engineer works closely
with developers to ensure that security is integrated into every stage of the
software development lifecycle. They may collaborate with developers to review
code, identify vulnerabilities, and provide recommendations for remediation. They
may also provide training to developers on secure coding practices and help them
implement security controls.
Attend Meetings: This is a task no role can escape in the corporate. An
Application Security Engineer may attend meetings with project managers,
developers, and senior management to discuss security risks, remediation plans,
and progress updates. They may also provide input on the security implications of
new projects or changes to existing applications.
Analyze Security Data: An Application Security Engineer may spend time
analyzing security data such as logs, alerts, and threat intelligence feeds. They may
use this data to identify patterns and trends that could indicate a security threat.
They may also use this data to develop security metrics and reports that can be
shared with senior management.
37
� MAY 2023
Stay Up-to-Date with Security Threats and Trends: An Application Security
Engineer must stay up-to-date with the latest security threats, vulnerabilities, and
attack methods. They may spend time reading security blogs, attending
conferences, and participating in online forums to keep their knowledge current.
Test and Evaluate Security Tools: An Application Security Engineer may spend
time testing and evaluating security tools such as vulnerability scanners, code
analysis tools, and intrusion detection systems. They may evaluate these tools to
ensure that they meet the organization's security requirements and provide
recommendations for improvements or alternative tools.
Document Findings and Recommendations: An Application Security Engineer
must document their findings and recommendations in a clear and concise
manner. They may use tools such as bug tracking systems, wiki pages, or reports to
document their findings and recommendations. They may also provide guidance
on how to implement their recommendations.
Conclusion
In summary, an Application Security Engineer plays a critical role in ensuring the
security of software applications developed by an organization. The task is not only
dynamic and demanding but also exciting and financially rewarding.
They work closely with developers, project managers, and senior management to
integrate security into every stage of the software development lifecycle. They must
have a strong foundation in computer science, software engineering, and
cybersecurity, and stay up-to-date with the latest security threats and trends. Their
day is filled with tasks such as conducting security assessments, collaborating with
developers, attending meetings, analyzing security data, and documenting their
findings and recommendations.
Lt Col Iqbal Singh (retd) is an infantry officer who started his career
with the Garhwal Rifles in Dec 1987. He is currently a senior technology
executive with a Big Tech firm based at Gurgaon. He is firmly of the
belief that tech is an enabler and your friend. He is the Founder of
Forces Network – the Network of the military veterans in the corporate.
His message to comrades-in-arms has been do NOT be afraid of tech
but embrace it. In line with thinking he relishes breaking stereotypes,
crashing glass ceilings and doing the seemingly impossible. He believes
that there are no barriers: all the barriers exist only in one’s mind. It was
with that firm conviction that Iqbal started the now famous ABCT (Any
Body Can Tech) Program in Forces Network in 2019. Under this program
non-tech officers were taken to cloud certification level. Over 40
participants got certified from Microsoft in cloud computing under this
program. This launched the tech careers of many of such participants.
Iqbal believes that cyber security as a career is set to boom. He is
convinced that military personnel can easily transition to cyber security
with some upskilling. Accordingly he has authored a series of articles
demystifying cyber security. The current article is the sixth article to
appear in the ForceNet E-Zine as part of the series.
Please provide your invaluable opinion/feedback on this Article, by
clicking/tapping HERE - Editor
38
