After this lesson, you will be able to: Translate the skills from this sub-track into a resume, a portfolio, and interview answers that get AppSec offers.
Application Security is the highest-paying entry-level path in security right now because dev-aware security engineers are scarce. This lesson turns this sub-track's skills into a concrete career plan.
Application Security Engineer, the canonical role, lives between security and engineering teams; reviews PRs, writes Semgrep rules, runs threat modelling. $130-$220k. Security Engineer (Product Security), embedded with a product team; ships secure-by-default frameworks. $140-$220k. Penetration Tester (web focus), consults externally or internally on AppSec engagements. $90-$170k. Bug Bounty Triage, salaried role at HackerOne, Bugcrowd, or large companies; validates incoming reports. $80-$140k. DevSecOps Engineer, security automation in CI/CD pipelines. $120-$200k. Search 'application security engineer', 'product security', 'AppSec' on LinkedIn.
Skills: OWASP Top 10, Burp Suite, DVWA / WebGoat / Juice Shop, Semgrep, secure code review (JavaScript/Python), HackerOne report writing, CI/CD security (Snyk, npm audit), basic threat modelling (STRIDE). Projects: 'Exploited and patched 4 OWASP Top 10 categories in DVWA; wrote remediation notes per category.' 'PortSwigger Academy: 30 labs completed across SQL, XSS, CSRF, IDOR, SSRF.' 'Authored 3 custom Semgrep rules for the patterns I see most in code review (linked GitHub).' 'Submitted 1 HackerOne report on a public-VDP program (closed as N/A, but received triage feedback I've documented).' Certs: Sec+ held; BSCP or PenTest+ in progress.
'Explain SQL injection to a junior engineer.' (Tests communication AND knowledge.) 'What's the difference between stored, reflected, and DOM-based XSS?' (Memorise this; it appears constantly.) 'Walk me through how you'd review a PR that adds a file-upload endpoint.' (Tests practical code-review thinking.) 'You find SQL injection in a critical production app. What do you do in the next 24 hours?' (Tests incident judgement + dev relationship.) 'Describe a bug you found in your own learning.' (Bring a DVWA or PortSwigger Academy example, walk through full attack path + fix.) 'How do you balance security with developer velocity?' (Senior question; show empathy for the dev workflow.)
Ship two or three of these inside 60 days. Each is an interview talking point.
Complete 30+ PortSwigger Academy labs. Publish writeups for the 10 hardest.
Fork a real open-source web app on GitHub. Run Semgrep over it, write up the findings with severity + recommended fix.
Author 3 custom Semgrep rules for patterns you've seen and explain the bugs they detect.
File at least one HackerOne report on a public VDP program. Even N/A or Informational results teach the workflow.
Write a STRIDE threat model for a fictional or open-source web app. Publish as PDF on GitHub.
Write a blog post 'Five vulnerabilities I found in DVWA, with patched code'.
Listing 'Burp Suite' on a resume without ever scripting it. Recruiters ask for the extension you wrote. Claiming OWASP Top 10 knowledge without being able to exploit AND patch each category. Showing up to an interview without a GitHub. The interviewer is asking themselves 'where can I see your work'. Treating security as adversarial to engineering. The candidate who says 'I'd partner with the team to ship the fix' beats the one who says 'I'd block the deploy' every time.
Sign in and purchase access to unlock this lesson.