Web Application Security
A Hot Information Security Skill Set for 2010

For the past few years, one of the hottest information security job skill sets has been web application security.  Rolling into 2010, demand for web application security and secure software development (SDLC) skills continues at SecurityRecruiter.com.  Employers typically look for two different kinds of web application security professionals.

Former Software Engineers / Former Application Developers

Web Application Security skilled candidates who come from an application development / software engineering background are in high demand.  What is typically expected of these candidates is a background in C, C++, JAVA development or a background in Windows development from a Microsoft shop that sits beneath an application security skill set. 

Here is a picture of a recent set of client requirements from SecurityRecruiter.com that demonstrates the skills a global employer running a UNIX / Linux, C++, Java enterprise environment required of a Web Application Security candidate:

  • Deep application development / software development experience that includes C++ and Java coding.
  • Understanding of security protocols and APIs (Java Cryptography API, Kerberos, etc.).
  • Strong understanding of application threat modeling and SDLC security aspects.
  • Strong documentation skills in writing application security policies, procedures and standards.
  • Solid understanding of application security essentials including Threat Modeling, SSL / TLS, Digital Signatures, Access Control, Auditing Architectures, Application Vulnerabilities (SQL Injection, Cross-Site Scripting, Buffer Overflows, etc.), Public Key Infrastructure (PKI using RSA), Authorization Authentication, Cryptography, Password Protection, State Management (Cookies, Session), Trusted System.
  • Familiarity with Google Widget Toolkit preferred.
  • Must demonstrate thorough understanding of Oracle Databases, Apache and Tomcat, Red Hat Linux, UNIX, web service security using WS-Security and SOAP.
  • Experience with agile software development methods using SCRUM preferred.
  • Understanding of the framework of Model-View-Controller (MVC) design pattern using the Struts framework preferred.
  • Familiarity with application vulnerability testing tools such as Fortify, Ounce Labs, AppScan, AppDetectivePro, N-Stalker, Nikto, Webscarab, Web Inspect, etc. preferred.

Here is an example of a financial services employer’s need for a web application security professional in a Microsoft Windows environment:

  • Requires significant experience developing web based systems utilizing .NET, C#, XML, SQL, etc.
  • Must demonstrate understanding of regulatory compliance requirements such as SOX, GLBA, PCI-DSS.
  • There will be significant need to interact with people, to share thoughts and to share ideas in this role.
  • Strong verbal and written communication skills must be present to create presentations, to build technical reports, to build proposals and to present in front of groups.
  • Must demonstrate strong analytical problem solving skills.
  • It is desired that you hold membership in organizations such as OWASP, SANS, ISSA, etc. Appreciated certifications include: CISSP, CSSLP, E|CSP, E|SAD.

Here is another example of a Secure Software Development / Web Application Security set of requirements delivered to SecurityRecruiter.com in 2009:

  • Demonstrate 7+ years of significant software development lifecycle experience developing, maintaining and deploying software systems
  • Demonstrate significant experience with a variety of operating system environments and an understanding of architectures, best practices, development technologies and secure software development processes
  • Successful candidates will demonstrate significant experience with the following topics: Cross Site Scripting, Buffer Overflows, Secure Code Reviews (manual and automated), Developing Secure Applications, Secure Software Development Lifecycle Implementation, Web Application Penetration Testing, SOA Architecture, J2EE, .NET, C, C++, Apache, Tomcat, IIS, WebSphere, etc. US Citizenship is required.

These three examples show needs for former software engineers / application developers who have ventured into the world of web application security.

Application Security Jobs without a Programming Background

Another profile employers sometimes appreciate is that of an application security professional who has not formerly been a programmer or software engineer.  Application Security professionals in this category typically come from a security audit or network security background and are skilled reading C, C++ and/or Java code and understanding web application security vulnerabilities.  These professionals will be skilled with automated application security software such as Fortify, Ounce Labs, AppScan, etc.

A recent client requirement for a non-programmer background to do web application security assessment work read like this:

  • Strong technical background in Java enterprise application technology. 
  • Can read and understand code. 
  • Static analysis with Fortify (preferred) or IBM/Ounce
  • Understands APIs and architecture (JSP, Servlet, EJB, Hibernate, Struts, Ant, etc).
  • Can handle technical discussions with development leads at the client site

Certification and Training for Web Application Security Professionals

At SecurityRecruiter.com, we saw our first Application Security titled search back in the 2002 timeframe.  The search came from an enterprise financial services company and proved to be next to impossible to fill at the time.

Security training and certification bodies have begun to address web application security with training and certification opportunities such as these:

EC-Council, E|CSP,    (Free introductory training through SecurityRecruiter.com)

ISC2, CSSLP,

SANS, - .Net (GSSP-NET)

SANS, - Java (GSSP-JAVA)

Regardless of whether a security professional has a programming background or not, certification in this skill domain is highly recommended.  Until these certifications and training opportunities were recently developed, there were no efficient ways for recruiters to determine whether a security professional had expertise in the realm of application security or not.  Making this determination was a long drawn-out process and to some extent still is today.

As companies find more and more ways to leverage the Internet to do business, there will continue to be need for secure software development and web application security professionals to guide development teams to develop web-facing applications with security in mind.

is the President of , an executive search firm highly specialized in filling security jobs.  SecurityRecruiter.com has been filling security jobs since the mid-1990s in the US, Canada and abroad.  Through the , SecurityRecruiter.com provides weekly security job updates, security resume writing advice and security career information.  is offered in partnership with