DEV Community

Tanya Janca for OWASP DevSlop

Posted on • Updated on

Jobs in Information Security (InfoSec)

**This article is for beginners, not experts. :-D

Almost all of the people who respond to my #CyberMentoringMonday tweets each week say that they want to "get into InfoSec" or "become a Pentester"; they rarely choose any other jobs or are more specific than that. I believe the reason for this is that they are not aware of all the different areas within the field of Information Security (InfoSec for short, and "Cyber" for those outside of our industry). I can sympathize; I was in the same position when I joined. I knew three Penetration Testers and lots of Risk Analysts and I had no clue that there were several other areas that may interest me or even existed. I knew I didn't want to be a Risk Analyst, so I thought the only other option was PenTester. Now I know that is not at all true. This blog post will detail several other areas within the field of Information Security in hopes that newcomers to our field can find their niche more easily. It will not be exhaustive, but I'll do my best.

Image by Henry Jiang of Oppenheimer & Co.

Image by Henry Jiang of Oppenheimer & Co.

The above image shows 8 different potential areas within the field of Information Security according to the author, Henry Jiang; Governance, Risk, Career Development, User Education, Standards, Threat Intelligence, Security Architecture and Security Operations.

Since I come from the software development side of IT, and have done almost exclusively coding, my view is going to be extremely biased. With that in mind, the first area you may want to consider is Application Security (AppSec); any and all work towards ensuring that software is secure. This is the field that I work in, so it will have the most detail. There are all sorts of jobs within this field, but the most well-known is the web app pentester (sometimes called an ethical hacker); a person who does security testing on software. Such a person is often a consultant, but can also work in large companies. They test one system, intensively, perform a lot of manual testing, and then move on. 

Jobs in Application Security:

  • Application Security Engineer - you do a mix of all the things listed under AppSec and you are generally a full-time employee. This includes making customer tools, launching a security champion program, writing guidelines, and anything else that will help ensure the security of your organization's apps. I personally consider this the sweet spot, as I get to do changing and interesting work, and see the security posture improve over time. It is, however, usually a more senior role.
  • Threat Modeller, working with developers, business representatives and the security team (that's you in this scenario) to find and document potential threats to your software, then create plans to test for and fix the issues.
  • Vulnerability Assessment: running lots of scans, all the time, of everything. You can scan the network too. Ideally you will do more than this, to assess the security of the systems in your care, but it depends on where you work. This position is often an employee position and you tend to have prolonged relationships with the systems and teams you assess.
  • Vulnerability Management: Keeping Track of the vulnerabilities that all the tools and people find, reporting to management about it, and planning from a higher level. For instance; attempting to wipe out an entire bug class, implementing new tools because you see a deficiency, resource planning, etc. This is an employee position usually, and often a manager role or team lead.
  • Secure Code Reviewer: reading lots of code, using SAST (static application security testing) tools and SCA (Software Composition Analysis - are our 3rd party components secure?), finding vulnerabilities in written code and helping developers fix it. 
  • DevSecOps Engineer: an AppSec engineer working in a DevOps environment. Same goal, different tactics. Adding security checks to pipelines, figuring out how to secure containers and anything else your DevOps engineers are up to.
  • Developer Education: this is usually a consultant role, but sometimes for large companies someone can do this full time. The person teachers the developers to write secure code, the architects to design secure apps, threat modelling, and any other topic they can think of that will help ensure their mandate (secure apps). This person is likely also to training the security champions. 
  • Governance: writing policies, guidelines, standards, etc, to ensure your apps are secure. This job is usually someone that does all the governance stuff for your org and the person is working with the AppSec team to get the details right, OR this person is likely a consultant because this is not an activity that needs to be re-done constantly. 
  • Incident Response: this area includes jobs as an incident manager (you boss everyone around and make sure the incident goes as smoothly as possible), and investigations (Forensics/DFIR). Investigating incidents related to insecure software is a topic I personally find thrilling; detective work is exciting! But with the stress it causes, it's not for everyone.
  • Security Testing: sometimes called Penetration Testing, sometimes called Red Teaming, sometimes not officially recognized as a job because management isn't "ready" to admit they need this yet. This person tests the software (and sometimes networks) to ensure they are secure. This includes manual testing, using lots of tools, and trying to break things without causing a huge mess. 
  • Design Review: This is called a "Security Archtect" but AppSec folks are often asked to review designs for potential security flaws. If asked, say yes! It's super fun and always educational. Bonus; it's a good way to build trust between security and the developers. In AppSec you will also be asked to do a range of other things because that's how life is. Potential asks; install this giant AppSec tool and figure out how it works, create a proof of concept for an exploit to show everyone that it is/is not a problem, create a proof of value with a new AppSec tool we are considering acquiring, get all the developers to log their apps like 'so' in order for the SIEM can read the results, research how to do something securely when you have no idea how to do that thing at all, etc. Like I said, it's super fun!

ISACA Victoria, Dec 2019

ISACA Victoria, Dec 2019

SOC Analyst/Threat Hunter: SOC analysts interpret output from the monitoring tools to try to tell if something bad is happening, while threat hunters go looking for trouble. This is mostly network based, and I'm not good at networks, otherwise I would have been all over this when I moved into security. The idea of threat hunting (using data and patterns to spot problems), is very appealing to my metric-adoring brain. Note: SOC Analysist is a junior or intermediate position and threat hunter is not a junior position, but if you want to get into InfoSec they are basically always hiring for SOC Analysts, at almost every company.

Security Architect (apps, cloud, network): Security architects ensure that designs are secure. This can mean reviewing a deployment, network or application design, adding recommendations, or even creating the design themselves from scratch. This tends to be a more senior role.
Risk Analyst: Evaluate systems to identify and measure risk to the business, then offer recommendations on how to mitigate or when to accept the risks. This tends to be coupled closely with Compliance, and Auditing, which I won't describe here because I am shamefully under-educated in this area.

Security Policy Writer: Writing policies about security, such as how long network passwords need to be, that all public-facing web apps must be available via HTTPS, and that only TLS 1.2 and higher are acceptable on your network. Deciding, writing, socializing and enforcing these policies are all part of this role.

Malware Analyst/Reverse Engineer: Someone needs to look at malware and figure out how it works, and sometimes people need to write exploits (for legitimate reasons, such as to prove that something is indeed vulnerable, or… You need to ask them). If you enjoy puzzles and really low level programming (such as ARM, assembler, etc), this job might be for you. But be careful; playing with malware at home is dangerous.

Chief Information Security Officer (CISO or CSO): 'The boss" of security. This person (hopefully) has a seat at the executive table, directs all security aspects for a company, and is the person held responsible, for better or for worse. If you enjoy running programs, managing things from a high level, and making a big difference, this might be a role for you.

Blue Team/Defender/Security Engineer (enterprise security/implements security tools): The people that keep us safe! These people install tools, run the tools, monitor, patch, and freak out when people download and install things to their desktops without asking. They perform security operations, making sure all the things happen. While those in the SOC (Security operations centre), monitor everything that's happening and respond when there are problems.

There are many, many, many jobs within the field of Information Security, please feel free to list some of the ones that I missed in the comments below. I hope this information helps more of you join our industry, because we need all the help we can get!

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

Discussion (9)

atan profile image

Amazing write up of what the Info-Sec field is comprised of. I'm planning on writing a post that details the path that someone can take to get into information security from an entry-level perspective and will definitely be referring back to this :)

One section I'd like to add that is becoming increasingly important is the cyber crime division. It's their responsibility to work with local or international police groups to track down those behind cyber attacks against the organization.

krkd profile image

I've spent the last couple of years in the industry, and I've genuinely never even heard of the term. Is that potentially something unique to US-companies?

shehackspurple profile image
Tanya Janca Author

BRILLANT. Yes, I need to add that. Thank you.

salusasecondus profile image

Love this post. There are so many sub-fields of security that it can be really hard to guide people (or yourself) through them.

One of the interesting roles is one I've been embodying for the past few years. It grew out of my Developer/AppSec experience and basically covers "Secure Development" as a whole. It has aspects of the general AppSec roles, with heavy emphasis on Secure Code Reviewer, Security Architect, Developer Education, and (not previously listed) Secure Developer. The last role is someone who specializes in building secure code in especially sensitive settings. They commonly work with developers (playing off the Developer Education and Secure Code Reviewer) while remaining especially hands-on for specialized/sensitive pieces.

rogerzanoni profile image
Roger Zanoni


Thanks, your post is very informative and since you were from the dev side of the force like me, I'm specially interested on how did you make the move from dev to infosec.

Did you obtain some sort of certification before applying? Most of companies seems to look for people experienced in infosec and it seems hard to make a move as a developer saying "hey, hire me, I can learn things!".

I used to play around with RE and stuff like the "exploit-exercises" challenges, so working in appsec and RE/Malware analysis look very shiny to me.

Sometimes I feel like getting back to studying it seriously and applying for some position and end up not doing it, could you share how was your experience? Did the effort of changing your career path worth it in your opinion?

Did your previous work experience play an important role in your hiring or was interviews/some kind of "portfolio" decisive?

shehackspurple profile image
Tanya Janca Author

Hi Roger,

I actually wrote another blog post about my entire career path, here:

I'm currently writing a book which I can hope would serve as a clear and easy to understand introduction to AppSec (Alice and Bob Learn Application Security) and am planning to create online training on how to become an AppSec or DevSecOps engineer, starting very soon. Currently there is no clear career path into security, and I think that sucks. So I'm going to try to create one, at least for my small speciality within InfoSec.

Wish me luck, I need it! :-D

chrismjohnston profile image
Christopher Johnston

Thanks for this. I've been interested in security for a bit (Ok, since 2003) and this lays out many of the potential paths I can take.

shehackspurple profile image
Tanya Janca Author

Please join us, we need all the help we can get. There is definitely a place for you.

pauld profile image
Paul • Edited

Love the reference. Though, colleges aren't good at navigating towards which job position are set for those who major in cybersec/infosec. I spent a year after graduating looking for a infosec position with little experience I had, landed me a devops engineer position. I searched private and gov't position anywhere from security analyst to cybersec engineer, only to be turned down. Does certs and a degree increase the chance of opportunity or that doesn't matter? Still after 1.5 yrs experience, I haven't heard back from any cybersec position.
Ok rant is over. Thank you again for fine grain position on cybersec/infosec