Web application security positions have many titles associated with them. Call it what you want, but the main objective of this position is to defend web applications and their digital assets from cyber-attacks.
What Does A Web Application Security Officer Do?
A web application security officer deals specifically with security of websites, web applications and web services. They will know what vulnerabilities to look for in the development stack, application code, web network and database configurations. They are constantly scan and test for vulnerabilities knowing that the faster a breach is detected and contained the less costly that breach will be for the company.
11 Essential Skills for Web Application Security Officer
Here the web application security officer must be the subject matter expert with intimate understanding of common internet attacks (past and present) including various types of fraud and scams. The web application security officer must have a solid grasp of how the web works, understand various web application architecture components and how attackers exploit those components.
In addition, a deep understanding is required in contemporary standards, practices, procedures and methods used to prevent flaws and weaknesses in the environment. Last but not least, staying current with breaches around the web, compliance mandates and laws not only in the organization’s country, but in any country in which the organization does business.
Security Policy Creation and Enforcement
The web application security officer is responsible for documentation and planning for all web security-related information, including incident response and recovery plans. Establishing and enforcing protocols, security measures and controls are also required in this position. Also required is constant surveillance and evaluation of current policies against new standards and laws as well as flaws identified internally or externally discovered by others throughout the industry.
Knowledge of Application Security Testing Tools
There are many Application Security Testing (AST) tools available in the industry. Their benefits include increased productivity and efficiency, repeatable and scalable tests, finding known vulnerabilities, issues, and weaknesses, and enabling users to triage and classify their findings. Deploying these tools takes time and expertise. The web application security officer must be familiar the AST tools available, understand which tools will provide the most bang for their organization’s buck as well as how to incorporate those tools into the web application development lifecycle.
A primary responsibility of the web application security officer is to mitigate attacks, therefore, this position requires a proactive attitude to foresee the types of threats and attacks their system might be subject to and think of possible solutions to effectively mitigate the problem.
Identifying the root cause of any security incident is only half the problem. The web application security officer must be eager to dig into technical issues and examine problems from all sides to not only identify a problem, but help to solve it.
Leadership and Collaboration Skills
The web application security officer is responsible for establishing the security culture of an organization, therefore must be able to effectively lead not only their own group when creating policy but convince other groups to join the fight. Also during any security incident, the web application security officer must effectively lead a team to isolate the root cause, minimize the impact, manage negative effects and quickly alter security controls to prevent future breaches.
Security does not happen in a vacuum. While the web application security officer is responsible for establishing and enforcing security policies, the implementation of those policies is done by other teams requiring the web application security officer to establish trusted relationships with all teams involved with the development and support of web applications. Accepting feedback for security policies and standards, input on prioritizing work and coordinating technical vulnerability assessments require the web application security officer to develop close, effective working relationships with many different groups.
The web application security officer must have strong communications skills to clearly articulate complex concepts (both written and verbally) throughout an organization. Addressing technical staff with the results of technical vulnerability assessments, explain what was found and its severity, how to replicate it and most importantly how to properly fix it. Additional skills are needed to translate technical information as well as discuss business requirements, impacts and budget, with those who many not have a strong technical background such as executives, vendors and customers.
A web application security culture is only successful if everyone understands it and is on-board. It is up to the web application security officer to not only communicate, but educate those in the organization about the value of the digital assets being protected, how those assets are being protected and most important how people in the organization can contribute to the effort.
Remain Calm Under Pressure
Hackers work 24/7 therefore the vigilance against them must also be non-stop. Should a breach occur the web application security officer must remain calm and allow critical and analytical thinking to rule at this time in order to effectively manage the situation.
A successful candidate will have a mature understanding of the architecture, administration and management of a web application environment. Knowledge of networking, cloud computing environments, general programming/software development concepts and an understanding of the more common programming languages is required in order to understand and communicate with technical staff.
A thorough understanding of web application security best practices, including guidelines from OWASP and SANS is a must.
Hackers don’t take a break. The web application security officer must keep vigilance over the web application environment. Always looking for new ways to secure their organization’s digital assets from a cyber-attack including staying abreast of new recommended practices, in-depth analysis of breaches at other organizations, and certification classes in an effort to prevent incidents before they can occur.
Securing an organization’s digital assets takes dedication not only from those directly charged with the task, but from the entire organization. Leading that charge is the web application security officer who possess a strong mix of both technical skills and people skills to lead, collaborate with, and educate others in the battle to keep those assets secure.