Application Security Engineer: Salary, Skills, Requirements

A recent report suggests that 700,000 new cybersecurity professionals have joined the market since 2020. But still, we are nowhere near closing the talent gap.

LinkedIn shows only about +3k people with the "Application Security Engineer" job title.

Let's dive into the world of application security:

What does an Application Security Engineer do? ​

Application security engineers ensure that your development team follows best security practices in each step of the software development life-cycle.

Some of the responsibilities of an application security engineer can be:

• running/managing automated vulnerability scans
• performing security focused code-reviews
• helping with secure system design and architecture
• prioritize vulnerabilities based on the security risk posed to the organization
• assisting developers with triage and remediation tasks
• supporting bug bounty program

How to become an application security engineer?​

There are some universities where you can study application security; however, it is more likely to depend on your efforts in training, certifications or bug bounties.

You'll be expected to be fluent in at least one programming language, and some companies are asking you to develop a small application.

You can start by joining OWASP communities and projects and also enrol many free courses:

There are also many certification programs related to application security:

• Certified Application Security Engineer (CASE) by EC-Council
• Certified Secure Software Lifecycle Professional by (ISC)²
• Web Application Defender (GWEB) by GIAC
• SEC522: Application Security by SANS

Application security engineer salary and job requirements ​

According to Talent.com, the average salary of an application security engineer is around $136k annually in the United States.

Let's look at the required qualifications in the application security engineer jobs posted by some of the top companies:

1- Chances of getting a job at Tesla in 2022 are only 0.5%​

Tesla is looking for someone to work on embedded firmware with a modern tech stack of C/C++ and Rust. All Teslas have a Chromium-based browser, so no surprise that JavaScript experience is a requirement.

Someone with experience in security automation (SAST, DAST, Fuzzing...) and Threat Modelling will be a right fit for this role.

2- Let the game begin!

Gaming giant Electonic Arts wants to hire someone to secure client systems (PC, mobile) and cloud infrastructure.

Someone with a security researcher background who has built vulnerability management programs and is experienced in OS internals would be successful in this role.

3- Are you ready to secure %33 of all cloud infrastructure?

Amazon is looking for someone strong in the communication department in this role. You may need to explain issues to developers or even less technical persons.

Someone with a consultant background would be a good fit. A hands-on appsec experience and threat modelling experience will make your way into AWS.

As you can see, Application Security Engineer is a multi-disciplinary role. There are multi-roads to take, and in addition to technical skills, it requires effective communication skills.

Don't forget to subscribe to Kondukto Blog and get the latest tips and tools to build a mature AppSec Program.