Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How to Transition from Software Engineering to Application Security?
2 points by appsecnewb on July 30, 2021 | hide | past | favorite | 3 comments
I'm a mid-level software engineer with mostly back-end and some full-stack experience. I have experience with using static code analysis tools to identify and fix vulnerabilities found in the OWASP Top 10, and I'd like to make a transition into Application Security full-time because I'm really interested in this field.

I've had a few AppSec interviews but most of the time my job applications are ignored. At my current job I don't have the opportunity to work on anything security related and I'm not sure what I can do to gain more security skills and make my resume marketable for AppSec roles, not just SWE. Of course I've been taking Udemy classes and watching YouTube videos on OWASP vulnerabilities but it seems silly to put on my resume that I merely took some classes.

I'm located in the Bay Area but have also been applying to remote roles.



Some thoughts (in no particular order):

(1). It's considered un-cool to recommend certifications here on HN, but in my experience they can help. I believe the problem comes from a combination of a. people who believe certifications alone are a panacea, and b. people who work hard on getting the certifications at any cost (including possibly outright cheating) and don't actually use the certification prep process as a real learning opportunity. I expect there is significant overlap between groups (a) and (b) but that's just a hunch.

Anyway... consider one or more of the "starter" level security oriented certifications as part of the overall story you want to tell with your resume. Security+ maybe.

(2). Compete in CTF events and such-like.

(3). Participate in bug-bounty programs. Do security research on your own time, get your name "out there" for producing actual results.

(4). If you're a developer now, think in terms of working on automation / tools related to security (offensive or defensive tools). Start a new open source project from scratch, or find a way to get involved with an existing project. Search for interesting projects on Github to possibly work on

https://github.com/topics/infosec

https://github.com/topics/hacking

https://github.com/topics/security

...

(5). Attend local security/infosec related meetups. Learn a lot about some specific topic and then volunteer to do a presentation on that topic at one of the Meetups. Heck, maybe present on the cool new tool you wrote as part of (4) above. Note: most Meetups are always on the lookout for presenters, and this is one of the easiest ways to start making a name for yourself in a given field.

(6). Blog about security related topics, including security research that you do. See (3) above.

(7). Used LinkedIn. Share security focused content there. Network with people in the field that you meet (see (5) above).

(8). Tweet about security. Build an audience of people who know you and your knowledge.

(9). Set up a "home lab" (in the literal sense, or use cloud servers, or a combination of both, whatever) and start learning. Even if it's not something you can document as a "bullet point" on your resume, you still need the raw underlying knowledge to support several of the previous points.

(10). Attend the big national hacking/security conferences - Defcon, BlackHat, RSA, HOPE, Schmoocon, whatever. Network and get to know people in the industry. Drop the word here and there that you're looking for work if it seems appropriate.

Not to say you need to (or should) do all ten of those things, or even any one specific one of them in isolation. But I think some combination of the above could contribute to helping you achieve your goal.

And to collapse a lot of those threads down to one (11) point, I'd say "learn, study, study, research, learn, learn, learn, study" as much as you can. At the end of the day, if you know your shit, and I mean really know your shit, not just the "can pass a certification test" level, but the "I could have written the damn test myself" level, or the "developed a new exploit myself that is big enough to get a talk accepted at Defcon", it will show over time.

Edit:

Just to add another thought or two. If you're particularly interested in crypto (as in "encrypting data", not "cryptocurrency") then consider the Cryptopals Challenge(s).

https://cryptopals.com/

Also, HN user tptacek is a well known figure in the infosec field, and often chimes in on career related threads from what I've seen. You might browse through his comment history and see if he's dropped some useful advise. I'd almost be willing to bet money that he has.

https://news.ycombinator.com/threads?id=tptacek


You have a good set of skills which is your software engineering background depending what type of AppSec role you are looking for. My background is very similar to yours.

It is the same way I entered the space to start building application security testing tooling automation into software delivery pipelines, shift left, if you like buzzwords, and learned (still am...) security along the way.

My best piece of advice for you is to be an advocate for application security on your team or in your area if possible. I am not sure the size of your company but if a Security Champion Program exists, that is a great way to get involved and start learning. Understanding risk management is another I would stress, as at the end of the day, you manage risk.

Here are questions to think about. Some may not be feasible depending how your company is setup to handle them but I will share for awareness.

- Do you threat model your application/s and/or new features?

- Do you consider security requirements when you are grooming features/stories? How would you help a team define them?

- Do you compose a SECURITY.md file in your codebase that takes about security requirements, mechanisms, implications, etc..?

- When you do code reviews, are you eyeing for security bugs? e.g., missing input validation/sanitization, broken authentication, etc...

- Are you automating security testing tooling (SAST, SCA) in your software delivery pipeline?

- Do you evaluate the OSS your application/s use with an SCA tool? (Be prepared for a lot of "false alarms", but the experience of triaging a CVE and understanding if risk of exposure exists is a good exercise).

I could probably add more but then we are going down a rabbit hole.

References

SAST = static application security testing

SCA = source composition analysis

Relevant links for learning

- Understanding OWASP Top 10 is table stakes

- MITRE ATT&CK Framework

- OWASP Web Security Testing Guide (https://owasp.org/www-project-web-security-testing-guide/)

- OWASP Application Security Verification Standard (https://owasp.org/www-project-application-security-verificat...)

- OWASP Software Component Verification Standard https://owasp-scvs.gitbook.io/scvs/

- OWASP Threat Modeling Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeli...

- https://github.com/devsecops/awesome-devsecops


To add, I am hiring individuals with a background like yours. Here is a role I have open that may give you some background on what I look for in AppSec engineers.

https://jobs.discover.com/job/12614460/principal-cybersecuri...

You will see a variance in roles in AppSec, for example

1) DevSecOps; build automation, shift left, etc...

2) Run security testing tooling and provide reports; "old school" approach to AppSec.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: