Danny's newsletter - Issue #23
This will be a deep dive on Application Security, part 4 of a 4 part series where we discuss career paths and roles within Cybersecurity in more depth.
Previously we covered,
In this post, Application Security will be discussed.
Other names for this area of Cybersecurity are “Production Security” or “Prod Security”. When we hear “Production”, this means anything that could be considered customer facing.
This is the field you’d go into if you have some developer or engineer experience. For example, maybe you’ve worked at a startup as a Software engineer for a year or two but have been interested in Security.
I work with several members of the Prod Security team, and can say that the scope of work can include Incident Response on the Production side, security library reviews, and code reviews for other engineering teams. Dicing a little deeper into these this could look like the following:
Incident Response on the Production side
This can be incidents where the main web app is down, or a major API in production has been leaked.
The Production team leads this incident with support from other members of the Security team.
Security Library Reviews
Apps and tools all use different code libraries, such as jQuery in JavaScript, Requests or Pandas in Python. Members of the Product Security team can find themselves reviewing these libraries for best practices and security holes. This could be proactive or due to a vulnerability disclosed in a certain library or package.
Code Reviews
When an engineering team wants to ship a feature and this has been peer reviewed (think Github), a Security review follows as a last step.
This is not an exhaustive list, just an overview of what the job looks like.
Hope this was helpful in understanding the career path and domain of Application Security.