Application security jobs are waiting. What are you waiting for?
Want a job? Your chances can’t get much better than in an industry with low unemployment.
So if you’re looking, head for the door marked “cybersecurity.” Unemployment isn’t just low — it’s nonexistent. There has been a shortage of skilled labor in the field for years — although the global gap this year is smaller, down to 3.12 million from 4.07 million last year according to (ISC)², a nonprofit association of certified cybersecurity professionals.
But the organization reported that the number of qualified applicants in the field still needs to grow by approximately 41% in the U.S. and 89% worldwide to fill the talent gap.
And therefore — no surprise — the money is good. According to a recent report from labor analytics firm Burning Glass, the salary premium for some of the most in-demand job titles can be more than $15,000. Salaries easily range from $100,000 to $200,000 and more.
The company said it used a database of more than 1 billion historical job records to make five-year projections. At the top of the projected growth ladder for cybersecurity jobs are application development security and cloud security, expected to grow by 164% and 115% respectively over the next five years.
According to the Bureau of Labor Statistics (BLS), cybersecurity jobs will grow 31% through 2029, more than seven times faster than the national average job growth of 4%.
That makes sense. Cyberattacks these days can have consequences far worse than stolen credit card numbers, identity theft, and ransomware, as serious as those are.
They can also have catastrophic physical consequences. In the past few years, hackers have demonstrated the ability to take over critical functions of modern cars, medical devices, home security systems and the control systems of critical infrastructure.
All of those products are part of the vast and growing Internet of Things (IoT), and are all run by software that, to protect users, needs to be both safe and secure.
Within application development security the premium job titles are software developer, cyber security engineer, systems engineer, DevOps engineer, and network architect. The fastest growing demand for subspecialties are in DevSecOps (+174%), container security (+155%), microservices security (+113%), and application security code review (+43%).
Of course, the key word in all this for job seekers is “skill.” To get the job, you have to be able to do the job. And if you don’t know what DevSecOps, microservices, and code review are, or even how to write code, you will need some training.
Which could be the tricky part. Cybersecurity is not exactly at the forefront of the current higher education system, even though there have been multiple initiatives launched to close the skills gap.
More than a year ago, President Trump issued an “Executive Order on America’s Cybersecurity Workforce,” declaring that the nation’s “cybersecurity workforce is a strategic asset that protects the American people, the homeland, and the American way of life.”
It called for the federal government to “create the organizational and technological tools required to maximize the cybersecurity talents and capabilities of American workers — especially when those talents and capabilities can advance our national and economic security.”
Among its various mandates was an order to adopt the National Initiative for Cybersecurity Education Framework (NICE Framework) as the basis for cybersecurity skill requirements for program participants to placing federal workers into “reskilling” programs.
The NICE Framework is “a nationally focused resource that establishes a … common lexicon to describe cybersecurity work, and workers, regardless of where, or for whom, the work is performed.” It covers work roles, tasks, skills, knowledge and abilities.
That framework hasn’t gone away. It is part of the NIST, the National Institute of Standards and Technology. But the skills gap isn’t going away either.
That may be in part because while there are plenty of college and university programs that focus on software development skills, when it comes to software security, not so much. Forrester research reported last year that of 40 university computer science programs it surveyed across the U.S., not one required students to take courses in secure coding or secure application design.
No degree doesn’t mean no job
That, according to a number of experts, doesn’t shut the door to those jobs entirely. They say as long as an applicant has some knowledge of common cyberattacks and how to deliver code that isn’t littered with vulnerabilities, the rest of the training can be on the job. The ivory tower is not the real world, in other words.
Sammy Migues, principal scientist at Synopsys, said earlier this year that things change so fast in cybersecurity that “when you hit the field, it’s not college. Once you’re in an organization, you’re working with their particular (coding) languages, you’re doing it in their frameworks and internal libraries, following their coding standards, and doing it all in their development toolchains.”
Jonathan Knudsen, senior security strategist at Synopsys agrees that if an applicant has basic skills and demonstrates some ambition, on-the-job training can do the rest.
“Employers are desperate enough for software security help that they will likely place a high value on demonstrated initiative and willingness to learn,” he said.
But then, he also agrees that there ought to be more security training in college and university programs. “Over time, I hope that university computer science programs will require security as a core part of their curriculum, reflecting the reality that all software development must include security,” he said. “For now, however, security is an elective if it is offered at all.”
“Application security is more challenging than straight computer science, because you need to know more about the various layers that make up software.”
So what should an aspiring application development security job candidate do?
Meera Rao, senior director, product management (DevOps Solutions) at Synopsys offers three key job titles that she said are within the reach of “any college kid” with some motivation and technical aptitude.
Cloud security practitioner: “Cloud is the talk of the town these days. Every organization, big or small, wants to move to the cloud,” Rao said.
“How do you get a working knowledge of Amazon Web Services, Microsoft Azure, and Google Cloud platforms? All these cloud providers have numerous, free online learning courses and certifications. With those you can work as a cloud security practitioner, building, communicating, and managing cloud environments.”
DevSecOps Engineer: “Major industry buzz words are DevOps, DevSecOps, and SecDevOps. If you are interested in being a DevSecOps engineer, then you should get experience in containerization technology — preferably Docker and Kubernetes, have written enterprise Java applications using the JEE technology stack, have deep knowledge of build automation using tools like Jenkins, Bamboo, release automation (Jenkins, Puppet, etc.) and experience using scripting languages (Ruby, Python, etc.).”
Security champion: “Security champions are software developers who help to provide the first level of defense in the form of application security guidance to their development teammates. If you are part of a development team, have good communication skills, and are curious to know more about security, you can be a security champion candidate,” Rao said.
Knudsen also recommends taking advantage of “copious online resources about application security.”
“If you want an application to be reasonably secure you need to understand what’s happening beneath the surface; you should know about the capabilities and constraints of the browser environment, you should understand the ins and outs of HTTP, you will need to understand cryptography in order to use it properly, you must know how to avoid common attacks like XSS and CSRF, you should be including security testing as part of your development process, and on and on,” he said.
Given the demand in the cybersecurity market, however, that doesn’t mean credentials or certifications are mandatory. “Get them if you can,” Knudsen said, “but don’t spend too much time or money before you start applying for jobs.”
“I tell people that if you can get into a software security position, you’ll work for as long as you want to work. Tremendous demand coupled with short supply means that anyone with even a whiff of security knowledge will be prized by employers.”