Photo by Pawel Czerwinski / Unsplash

Becoming an AppSec Engineer. Could you do it? - Dan's story

AppSec Jun 25, 2022

I’ll start with a brief rundown of my IT career. I know it’s boring reading about other people’s jobs but bear with it, it is relevant.

Every little helps

I came into IT fairly late at 27 with A+ and N+ certifications I’d gained as part of my resettlement from the Royal Navy, but no real experience. I managed to land myself a role as a Network and Infrastructure Assistant, dealing with a wide range of responsibilities including hardware upgrades, firewalls, IP telephony, AD and Exchange configuration.

This was a great job. Part of a small team, every day was different and I got the opportunity to design and implement my own processes.

Fast forward a few years and I was given the opportunity to become a junior full-stack dev. It was a tough decision as I was essentially starting again, but I’d seen demand for developers skyrocket and knew that if I didn’t take the leap now, it was never going to happen. Daunting as hell, especially at 34 years old.

They say your brain is a sponge when you’re young, well my sponge felt like it had a concrete coating.

A lot to learn, but I chipped away piece by piece and became competent. Near the end, I think I may have even become good at what I did and became a lead developer. You notice I haven’t mentioned any involvement in Application Security yet?

So why am I telling you this? You’re almost certainly asking what the hell it has to do with becoming an AppSec engineer. Well, I’ll tell you….

I got lucky but you may have to make your own luck

A bit of luck goes a long way

A couple of years ago an ex-colleague and good friend of mine rang me out of the blue with an “opportunity”. He wanted me to join his growing team of 2 and become an AppSec Engineer. I couldn’t put the phone down fast enough. After questioning my competency for a good chunk of the last decade, why on earth would I put myself through that again???? His answer… it’s the future. So, I gave it a look. He sent me some links, I read a few articles and blog posts, watched a few videos, and by the end of it, realised he was right.

Cybercrime was at an all-time high, sites were being taken down for fun and people were being held to ransom.

A quick search of job sites showed that companies were crying out for people like him. Now was the time of the AppSec Engineer. Protect and serve... or something like that.

Companies wanted to safeguard their assets and prevent themselves from becoming the next big news story, but there were very few people with the experience to take on the roles. And here was me being handed the opportunity to get into this industry, on a silver platter. I still wasn’t 100% sure though.

The more I looked into it, the more daunting the role became. So, I looked back. I didn’t know what I was doing in any of my previous roles… until I did them. Few people do.

So, we talked it through and he explained: It’s not your job to make the application secure, it’s your job to investigate and consult on the best way to secure the application. I didn’t get it. So you’re going to pay me to Google stuff and tell other people what to do? Yep… at first. He then went on to explain that the best form of defence is attack, so let’s see how the attackers do it and introduced me to Try Hack Me and Hack The Box.

This isn’t work! I’m learning about cool shit here.

Once again, I was unwittingly picking up a little bit of knowledge. If I know how these guys are looking to exploit a vulnerability, I can just stop it from being vulnerable. I could stick a firewall rule in there and block that port. I’ve done that before. I could add something in the config here to prevent verbose error logging. I’ve done that plenty of times. This input is susceptible to SQL injection, if we stick some validation in this line of code, we can mitigate that. I can tell the Dev team to take a look and we’re golden!

All of a sudden, it all fell into place, this could be the perfect role for me. So I took it.

I do this everyday because life is brilliant

How did things pan out?

Fast forward 2 years and I don’t know the job inside out, by any stretch of the imagination, but nobody does. The threat landscape is continuously changing and all you can do is your best to keep up with it. But honestly, a lot of it is just common sense. If you only want to return a product code from an API query, don’t expose the whole database, you’re just asking for trouble. A developer will look to get the job done and will undoubtedly have the best intentions at heart.

It’s your job as an AppSec engineer to get them thinking of the most secure way of doing that. Be it through IDE plugins, automated security gates you’ve added in the CI/CD pipelines, ongoing security training through platforms such as Secure Code Warrior or just talking new functionality through with the dev teams as part of their refinement, you’re doing your job and helping to secure the product.

I've leant towards the DevOps side of things introducing automation throughout the SDLC, but we have people from a risk background who prefer to deal with compliance, others that have taken a real shine to offensive security and a few who are just looking to replicate the full-stack philosophy and become well-rounded engineers.

I probably wouldn't bother if you look like this whilst thinking

Can you do it?

I guess what I’m trying to say in a very long-winded way is, that if you’ve taken a look at AppSec and thought “I can’t do that”, you probably can.

There are so many areas you can specialise in.

You’re interested enough to be here reading up on how somebody else has done it and I daresay you’ve got more core skills than you realise, the rest you’ll pick up along the way.

Now don't get me wrong, not everyone's got a mate who's going to ring them out of the blue and offer them an interview, but I'm telling you now, there are plenty of opportunities out there and they're not necessarily looking for experience in AppSec specifically. A lot of companies are just looking for someone with an interest in security who is willing to learn as they realise the experience isn't out there yet.

See what's out there, what they're looking for and get reading up.

Worst case you gain a bit of security knowledge. But you just might land yourself a role in a rapidly expanding and well-paid sector of an industry that's not going anywhere anytime soon. Good luck


Dan Fuller

Previously a Network Admin, Full-Stack Dev, Part-Time crime fighter and now an AppSec Engineer. I've had my fair share of jobs in IT, but this is the first I'm passionate enough to write about.