off-the-stack
cd ~/careers
Securityaka "AppSec"

Application Security Engineer

An engineer who breaks and defends software for a living — and gets paid handsomely for the rare combination.

Entry
$100k
Mid
$150k
Senior
$210k+
Demand
High

AppSec sits inside engineering, not in a separate security silo: you review code and architecture for vulnerabilities, build security tooling into the pipeline, threat-model new features, and help developers ship safely. It needs you to think like both a builder and an attacker — a combination uncommon enough that the pay is excellent and the demand never really cools.

The myth

Security is all compliance checklists and saying no.

The reality

AppSec is deeply technical and hands-on: reading code for real bugs, threat modeling, building security into CI, and helping engineers ship safely — far closer to engineering than to audit.

cat ./what_you_actually_do.md

  • Review code and architecture for real vulnerabilities before they reach production.
  • Threat-model new features so security is designed in, not bolted on.
  • Build security testing (SAST, DAST, dependency scanning) into the pipeline.
  • Partner with developers to fix issues and level up the whole org's security instincts.
  • Think like an attacker so the product survives meeting real ones.

cat ./why_underrated.md

Most people imagine security as compliance paperwork or a separate world from 'real' engineering, so engineers who'd love the work never look at it. But AppSec is one of the most technical and creative corners of software — it demands you genuinely understand how systems are built in order to find where they break — and the population that can do both building and breaking is small. Add a security premium to an engineering salary, a threat landscape that only grows, and you get a high-paid, durable specialty that's wide open to anyone willing to learn it.

grep -i 'good fit' ./who.md

  • Curious people who like taking things apart to see how they fail.
  • Engineers who think adversarially and enjoy puzzles with a human opponent.
  • Builders who want impact across a whole org, not one feature at a time.

cat ./pay.md

Security pays a premium on top of engineering, and AppSec specifically — the hands-on, code-level kind — is in chronic short supply. Senior AppSec engineers clear $200k+, and the skills are durable because new code (and new vulnerabilities) never stop being written.

./break_in.sh

  1. Learn to build first

    You can't secure what you don't understand. A real engineering foundation is the prerequisite, not optional.

  2. Play CTFs and use safe labs

    Capture-the-flag competitions and deliberately-vulnerable apps (OWASP Juice Shop, PortSwigger Academy) teach the attacker mindset for free.

  3. Learn the OWASP Top 10 cold

    Know the common vulnerability classes well enough to spot them in real code — that's the daily bread of AppSec.

  4. Move from a SWE seat

    The strongest AppSec engineers are often developers who got obsessed with security. Volunteer for security work and pivot in.

tail -f ./a_day.log

  • 09:00Security review a PR for a new auth flow and catch an access-control gap.
  • 11:00Threat-model an upcoming feature with the team that's building it.
  • 14:00Tune the pipeline's dependency scanner to cut noise and surface real risk.
  • 16:00Reproduce a reported vulnerability and write the fix guidance developers will actually follow.

ls ./toolbelt

  • A language you can read well
  • OWASP knowledge
  • Burp Suite
  • SAST / DAST tools
  • Threat modeling
  • Cloud security basics