Monday, January 31, 2011

Hot Security Skills: Web Application Security

Web Application Security

For several years now, employers, security job candidates, security industry magazines and others have been asking me to identify the hottest skills in the information security marketplace.

The list of skills to choose from is extensive but for several years now, supply and demand in the marketplace cause me to point to Web Application Security as being one of the hottest and most challenging to recruit cyber security skill sets.

Application Security History

The first corporate application security job landed on my desk in the 2001 timeframe. At that time, we could not find candidates for the major insurance and financial services company that called on us. The skill set was in its infancy at the time.

Today, although the requirement for application security or web application security skills has now been around for a decade, the skill set is not a whole lot easier to find.

Web Application Security Skills In Demand

A couple of years ago, a major security industry magazine asked me to write a very brief 90 word column covering skills in demand. While there are other skills that are in demand, every time it was time for me to write the 90 word column, another web application security requirement landed on my desk. I no longer contribute this 90 word column partly because the answer continues to be the same. Web Application Security was, is and continues to be a hot skill.

Web Application Security Skills Employers Expect us to Deliver

A sampling of two web application security job descriptions sitting on my desk today ask for the following skills and experiences:

Software / Security Assessment: Evaluate applications for appropriate and effective use of security controls using tools and techniques such as source coded analysis, vulnerability scanners and manual testing techniques.

Secure Software Architecture: Provide expert guidance to software developers on the appropriate selection and implementation of relevant application security controls.

  • Bachelor of Science in Computer Science
  • 8-10 years experience in software engineering and development
  • Delivery of secure, internet-exposed, multi-tier web-based systems
  • Hands-on experience throughout the SDLC including requirements gathering and test planning, software architecture, secure coding and Quality Control testing.
  • Substantial hands-on coding experience in Java / J2EE or C# / .Net.
Employers are in a bind when it comes to hiring Web Application Security professionals.

They’d like to hire individuals who can come in and work with tools such as Fortify SCA, WebInspect, IBM Rational AppScan, BurpSuite, Metasploit, Core Impact and more but in order for the person who works with these tools to provide maximum effectiveness to the employer, employers believe the security professional needs to possess deep experience writing code themselves.

Additional Skills Employers Want

In addition to experience writing code, experience performing manual code review and experience working with automated web application security tools, employers are frequently looking for security professionals whose skill sets run even deeper.

Here are a few additional requirements an employer recently included in their job description:

  • Experience with web application firewalls such as Imperva SecureSphere and breach WebDefend.
  • Experience with the secure configuration and operation of Application Servers, Web Servers, Directlry Servers, Media / Content Servers, Messaging Servers, Database Servers and Integration Servers.
  • Experience with Application layer intrustion detection systems such as Sanctum Appshield or Kavado, Application authentication and authorization systems such as RSA ClearTrust and Netigrity SiteMinder and more.
Education / Certification

Not a lot of credentials exist today to verify that a web application security professional is really good at what they do. For those looking for credentials (and I recommend doing so), consider the credentials available from ISC2 or from EC-Council. From a recruiting standpoint, it is hard work to determine who has these complex sets of skills and who does not. Certification of some sort wouldn’t prove who has the skills and who doesn’t but it would give recruiters a good place to start when working to identify web application security consultants or w2 full-time employee candidates.


For more inforamtion on the topic of web application security, go to OWASP.


For a programmer or software engineer who has written code for one, two or even three decades and who is looking for the next step in their career, providing either in-house or external consulting services in the realm of web application security is a strong bet.

Those who work with web application security tools but who have never written a line of code will always be at a disadvantage compared to those who have written code and then added web application security skills to their skill set.

On My Desk at

Why am I writing about this topic again? Because demand is every bit as strong today as it has been in the past. As a recruiter, it is to my advantage to share what employers are demanding in the hope that those of you who are looking for an edge might prepare yourselves with the right education, certification and experience so I can call on you when these hot security jobs come along.

Here is our current demand for Web Application Security. I’m convinced that we could acquire more jobs like these if we thought we could deliver qualified candidates:

Web Application Security Consultant (on-site and telecommute)
Winston Salem, NC
Minneapolis, MN
San Francisco, CA

Application Security Engineer
Rockville, MD

Web Application Security Engineer
San Francisco, CA

Web Application Security Engineer
Los Angeles, CA's Security Recruiter Blog