An Application Security Engineer is responsible for helping Software Engineers secure the Software Development Lifecycle (SDLC). They will report to the Head of Security Engineering in most organisations, and will embed themselves within the engineering department. It is important for an Application Security Engineer to have a background in Software Engineering and knowledge of DevSecOps practices.

The responsibilities of an Application Security Engineer will vary depending on the size of the technology department, often they will take on Cloud Security, Network Security, DevSecOps, and Automation responsibilities, plus much more, on top of their own core competencies. This may sound like a lot to take on, but it can be a varied and exciting career path for a software engineer who is interested in security.

We’ll break down the core competencies alongside the SDLC to highlight where each responsibility fits in.

Planning & Requirements

The Application Security Engineer will be involved in defining suitable security requirements, which might be influenced by regulatory requirements. These security requirements can form part of a service readiness document and act as a checklist of items that teams can plan in as part of their definition of done for project and feature work.

It’s also important for teams to have the security metrics they require to make informed decisions on patch and remediation work so that it doesn’t simply sit as security tech debt as systems degrade over time. This is a key component when deciding what tools to adopt, as it provides the opportunity for continuous improvement and allows teams to make informed decisions regarding risk.

Design & Architecture

As an Application Security Engineer, you want teams to ensure their software designs and architecture are secure, and a great way to discover potential vulnerabilities early in the SDLC is through threat modelling. The Application Security Engineer will influence the security culture in teams so that they lead their own threat modelling exercises. As the team building the software has the domain specific knowledge, and are the subject matter experts on the systems they are building, it doesn’t make sense for a security professional to carry out the threat modelling exercise, rather they should lay the foundations and be there to support and guide where required.

A popular framework for threat modelling exercises is STRIDE, which guides you on the type of threats to look for in relation to specific aspects of the design. It’s common to follow Shostack's 4 questions as a guide during threat modelling exercises.

Implementation & Development

This is where it is important to shift security tooling left, so that developers have fast feedback loops where they are writing their code. This usually comes in the form of Static Application Security Testing (SAST), Software Composition Analysis (SCA), and secret scanning tools. Some of the most popular options, which come with a level of free access for you to try them out, are CodeQL, Snyk, and Semgrep.

A key focus of the Application Security Engineer is to provide a great developer experience, it’s essential to not increase the overhead on teams or introduce bottlenecks through the tools that are adopted. Bring the developers along on the journey when deciding what tools to use and how they will integrate into the existing ways of working.

Testing & Quality Assurance (QA)

In modern technology departments everything will be deployed through a pipeline, but this is not always the case.

This is where security gates can be introduced, within the deployment pipeline or as a manual step in legacy systems, to ensure as many vulnerabilities as possible are prevented from reaching production. The most common security gates come in the form of the SAST, SCA, and secret scanning tools, which were mentioned previously, but also between pre-production and production Dynamic Application Security Testing (DAST) can be leveraged.

Once software has been deployed to a pre-production environment, DAST facilitates security testing at runtime against that environment to ensure it’s secure before pushing out to production. You can think of a DAST scan as a simulated penetration test.

Deployment

An Application Security Engineer will help to ensure the platforms which facilitate deployments are secure. This will include configuration settings in version control and deployment pipeline platforms, which are often the same platform, to include code review, enforce the four eyes principle, and include any security gates as required.

It’s also important to make sure the way in which code is deployed to a company owned datacentre or a cloud vendor is secure; in AWS for example you would look at using OpenID Connect (OIDC) and IAM Roles with short-lived credentials that are scoped to specific repositories within your version control.

Production & Maintenance

Through the existing steps a lot of point-in-time vulnerabilities and misconfigurations would have been captured, but naturally new vulnerabilities are discovered every day and so a previously unknown vulnerability may exist within your software in production, as a result it’s important to continue to test in production, and this can be achieve with DAST through continuous scans or on a suitable schedule.

The role of the Application Security Engineer is centred around the SDLC, however it’s just as much about people, and building a security culture which makes security accessible and encourages everyone to be responsible for security. This culture can be nurtured through providing suitable modern education, a community to share and discuss security related topics, and through empowerment to take ownership of security posture across the business. You will need to collaborate across teams and departments, so having good communication skills is essential.

It’s common for Application Security Engineers to have no certifications, it’s not a requirement for the role in most organisations, but you may find they have vendor specific certifications that align with the tech stack of the companies they have worked for. The following list provides some example certifications, but it’s not exhaustive:

• AWS Certified Security Specialty
• GCP Professional Cloud Security Engineer
• Microsoft Certified: Azure Security Engineer Associate

The Application Security Engineer role is varied, so you need to be adaptable, but because of that it can provide you with many options for personal development and career progression. You’ll remain technically hands-on, but also become a teacher and a leader within the business.