▲ 8 r/SecurityCareerAdvice+1 crossposts

Move into Appsec, what should I consider before doing it?

Backend engineer, ~5 YOE, 1 year at current. I've been offered an internal move to AppSec.

At my previous job I was the security guy on my team ("Security Champion" programme, but for technical people) - moving security initiatives for our app, exploratory testing (found a few big vulns while messing around), and owning the security side of a cloud migration: data classification, SAST in CI/CD, and passing internal audits - this was around 20% of my capacity, the rest were usual developer work. I liked it and wanted to grow in security, but left for a better BE offer.

Current job is distributed systems with e2e ownership in a great team, so I've picked up solid devops experience too. The really great team makes the choice a bit harder too :).

Two things worry me:

  • AppSec seems like it could mean really different stuff depending on the company - scanner triage at one place, threat modeling and architecture review at another. What is the real-deal appsec engineer job have to look like so I can be competitive if I decide to grow in this field?
  • Would the previous BE experience(granted that some of it ~2YOE was with a security flavour) hurt my prospects if I try to pursue an appsec role, and vice versa would the appsec experience hurt future BE prospects. Basically is there bidirectional transfer of skills. I'm guessing so, but I might be guessing badly.
  • Is AppSec going to be impacted badly by LLMs?

Anyone made this switch? What should I look for in an appsec role.

Disclaimer: I've used AI to make this post more understandable, English is not my native language, neither am I too good with words.

reddit.com
u/outMyComa — 10 hours ago