Learn Application Security Engineer Skills
After completing this unit, you’ll be able to:
- Explain the impact of application security on business.
- List the key skills needed to become an application security professional.
- Describe common application security scenarios.
The Impact of Application Security on Businesses
Inadequate application security can have huge negative consequences for an organization. Cyber intruders attack a variety of organizations every day in the hope of enriching themselves by extracting money, corporate information, and intellectual property. Attackers use the hijacked data to make unauthorized purchases and steal consumers’ identities.
If you follow the news, you know that attackers have successfully compromised applications to access data stored in the computer systems of retailers, credit reporting companies, airlines, entertainment companies, government offices, schools, and many other organizations. In one case, a hotel chain was breached by a foreign country. In another case, a SQL injection attack, which we’ll cover later, installed spyware on a company’s computers which exposed customer credit card information. In multiple cases, intruders stole credit card data by taking advantage of weak data encryption systems. In total, these attacks exposed the personal information of hundreds of millions of customers.
These security breaches resulted in direct economic impacts from fraud and theft, but a security breach can also yield indirect economic impacts, like the loss of reputation. This can produce additional financial consequences on the business due to a loss of customers, reduced shareholder trust, and damaged brand image. Security breaches can also have legal and regulatory ramifications that result in fines and sanctions.
Application security engineers have a critical role to play in ensuring that customer data is adequately protected by business applications. Because the role of an application security engineer is so important, they need to have a wide range of proficiencies. Let’s dig into this a bit more to see what skills an application security engineer needs.
Application Security Engineer Skills
Imagine that you’re going to fly to a distant island for a tropical vacation. Before you board your airplane, you must pass through multiple airport security checkpoints. Security personnel check your ID and boarding pass, you walk through a metal detector, your luggage is X-Rayed, you pass airport security dogs, and security guards monitor TV screens to watch for unusual activity. These are layers of security at the airport to ensure that you enjoy a safe trip to your destination. Similar to the security personnel at an airport, an application security engineer must be aware of attacker entry points and provide the necessary safeguards against vulnerabilities at each phase of the application’s development and deployment.
Reports from security associations (ISC)² and Information Systems Security Association International (ISSA) discuss the cyber security skills shortage that has been growing for years. An increase in security incidents has led organizations to report an acute need for application security professionals to protect applications and data. In light of this and the fact that application security engineers require more training, an application security engineer can often earn more money than application developers.
Application security engineers employ various techniques at different stages of an application’s software development lifecycle (SDLC) to uncover security vulnerabilities. In order to do this, an application security engineer must have a good grasp of many technical skills, which include:
- Threat modeling: Think about how attackers can compromise a system and what protections are needed against them
- Secure Software Development Life Cycle (SSDLC): Help developers write secure code that minimizes vulnerabilities by implementing secure coding standards, techniques, and best practices
- Security code reviews: Identify security vulnerabilities in source code before an application is deployed to production
- Vulnerability testing and analysis: Discover weaknesses once an application is deployed and advise development teams on remediation
Since application security engineers work with various people (application developers, testers, designers, and others), they need to be good collaborators and communicators. They also need to be good writers since they generate documents that explain their technical findings. In some cases, they need to use their persuasive powers to convince management why a certain security feature should be installed before an application is deployed. Often, they must use their critical thinking skills to determine the various ways that an intruder would try to attack an application. Then they need to find creative solutions to thwart potential attacks. If an intrusion occurs, they investigate the incident to help identify the source of the compromise and harden the application against future attacks.
On top of the skills listed above, the following certifications can bolster an application security engineer’s knowledge.
- GIAC Web Application Defender (GWEB)
- GIAC Secure Software Programmer (GSSP)
- Certified Secure Software Lifecycle Professional (CSSLP)
- Secure Software Practitioner (SSP)
- Certified Application Security Engineer (CASE)
- Advanced Web Attacks and Exploitation
If you’re considering a career as an application security professional, earning a college degree in computer science is a good way to start on that path. Application security engineers will often start out as application developers and then transition into the cybersecurity field. Also, multiple colleges offer degrees in cybersecurity. It’s definitely an exciting field with many opportunities.
Now that you know about the skills you need to be an application security engineer, let's look at what common security scenarios an application security engineer encounters and how to protect applications in these situations.
Common Application Security Scenarios
Cybercriminals look for the easiest access to steal, modify, or destroy data that requires the least amount of effort and provides the biggest payback. The more complex an application is, the higher the probability that it contains security vulnerabilities. Applications, especially web applications, are targets of cybercriminals because they present a large and relatively easily exploitable attack surface (the user interface) that can allow an intruder to access sensitive information stored on a computer. Also, intruders do not need any special tools to attack a web application. All they need is a computer and an Internet connection.
While attackers are trying to figure out how to infiltrate an application, application security engineers are focused on minimizing vulnerabilities in application code and ensuring application components are securely configured in order to prevent unauthorized access to customer accounts and data. A valuable resource to consult when reviewing applications security risks is the Open Web Application Security Project (OWASP). OWASP is an international organization that provides freely available information focused on improving software security.
So, what are some common risks an application security engineer may encounter? An injection attack is a good example and occurs when there is improper sanitization of application inputs. In an injection attack, an intruder inserts code, instead of expected input data, into the applications input handling logic (the code that manages communication between an end user interface and a database).
If the application is written incorrectly, the application will run the code that the attacker injects. For example, structured query language, known commonly as SQL, could be entered into an email address field on a web page. SQL is a language used in programming and is designed to manage data. If there is no check on the input field, an attacker might be able to extract information (like health records) from the application’s database by using the SQL code.
To sanitize a user’s input, an application should ensure that the application handles user input as data instead of commands and includes only allowlisted characters (an allowlist is a list of characters that are granted access to a system). When an allowlist is used, all other entities are denied access, except those included in the allowlist, and those that don’t exceed the maximum data field lengths.
Other responsibilities of application security engineers are reviewing, testing, and verifying code during the development process to ensure user inputs are properly sanitized in order to help prevent against the injection attack described above. This is especially critical in the context of agile software development, which seeks to deliver application functionality faster than other development methods. But the agile method adds complexity because it requires continuous updating of applications to keep up with end-user expectations. Developers are expected to provide new features and fix discovered bugs at a rapid pace. Applications must be hardened to prevent exploits, and it's the application security engineer’s job to advise the development team on the most efficient way of doing so.
Weak, or nonexistent, encryption is another prevalent application security shortcoming that can allow attackers to expose sensitive data. Applications are vulnerable when they use protocols like HTTP that transmit data as clear text. Instead, applications should use secure protocols like HTTPS that encrypt data transmissions, so the data can’t be read without the proper decryption key. Old, weak encryption algorithms and internally developed encryption functions should be avoided. Instead, application security engineers should rely on secure, standards-based encryption algorithms.
Application security engineers help developers follow a Secure SDLC process. They adopt secure application design and architecture techniques based on well-known security practices, which include providing strong authentication and authorization and employing secure session management to prevent unauthorized access.
Application security engineers deploy applications that prevent users from logging in with default credentials, since this is a common attack vector. They sanitize user input to hinder injection attacks. Some data breaches have succeeded due to weak encryption, so application security engineers use strong algorithms with appropriate encryption key management to encrypt data transmissions and stored data (data at rest). Then if attackers infiltrate the system, they can’t extract any useful information since they won’t know how to decrypt the data.
Application security engineers ensure that errors are handled properly so that no sensitive information is released to the user. They also perform static and dynamic application security testing during and after application development and monitor the application for any unusual activity after deployment.
Sum It Up
In this unit, we covered how an application security breach can impact a business, what skills application security engineers need, and explored common application security scenarios. Next, let’s discuss the first step every good application security engineer takes: identifying the applications in their environment, and their associated risks.
- PDF: OWASP Top 10 - 2017
- External Site: OWASP: Top 10-2017 What's Next for Developers
- PDF: OWASP Secure Application Design Checklist
- External Site: (ISC)² Online Training: Assessing Application Security
- External Site: SANS: Defending Web Applications Security Essentials
- External Site: EC-Council: Certified Application Security Engineer (CASE)