3 Essential AppSec Skills for 2020 and beyond

3 Essential AppSec Skills for 2020 and beyond

Have been thinking about this one for a while now, and I thought I'll pen it down in long form.

For me, the 3 Essential skills in AppSec, for 2020 and beyond are:

Threat Modeling

More organizations are looking to "shift left", especially by way of identifying vulnerabilities early and often in the SDL, leading to the rise of DevSecOps and Continuous Application Security initiatives. Threat Modeling is emerging as the ultimate approach to shifting left. With effective Threat Modeling, you are able to find, enumerate and fix security bugs at the earliest possible stage in the lifecycle. Learn how to Threat Model. It will serve you well in your Security career.


There was a time (especially for Network and OS Security) where security professionals didn't need to learn how to code. That time is way past. With the modern Application and AppSec landscape today, its criminal for an AppSec professional to not know how to code (in any language). Modern AppSec professionals needn't build enterprise-grade solutions with programming, but they do need to understand how to code. Coding helps in multiple ways, including, but not limited to - engaging with developers on secure coding, finding more serious vulnerabilities with white-box techniques, understanding and working with modern DevOps and Deployment paradigms like the Cloud, Containers and Kubernetes. Not knowing how to code is a major handicap, that you want to correct ASAP.


Nearly every organization I speak with is either aggressively steeped in DevOps or is looking to be that way. Continuous Delivery of applications is a state that organizations want to reach, especially when they are embracing the cloud and faster deployment paradigms. Just like most other aspects of the SDL have been embedded into DevOps pipelines (functional testing, unit testing, build management, etc), security is also becoming a key aspect of DevOps. Automated security tests in the form of SAST, SCA, DAST and IAST are becoming the norm for even the stodgiest of companies. Learning how to do this effectively and implementing it, is additionally future-proofing some aspects of your career.