Career roadmap

Application Security Engineer

How to become an Application Security Engineer — embedded with engineering, owning SDLC security. £70k–£140k in UK tech.

Year-by-year milestones

  1. Year 0Software Engineer with security interest£50k–£70k

    Production engineering experience in at least one stack.

  2. Year 1–2Application Security Engineer£70k–£95k

    Threat model new services, review high-risk PRs, tune SAST, run security champions.

  3. Year 3–5Senior AppSec Engineer£95k–£130k

    Own appsec programme, build paved-road libraries, lead vuln response, present at internal eng all-hands.

  4. Year 5+Staff / Principal AppSec Engineer£130k–£180k+

    Set product security strategy, own bug bounty, represent firm at OWASP/BSides, mentor senior engineers.

AppSec Engineers embed with engineering teams to ship secure software: threat modelling, secure code review, SAST/DAST/SCA tooling, security champions programme, and vulnerability response. The role is the highest-leverage way to scale security across an engineering org. ## Career milestones ### Year 0 — Software Engineer with security interest _Salary: £50k–£70k_ Production engineering experience in at least one stack. ### Year 1–2 — Application Security Engineer _Salary: £70k–£95k_ Threat model new services, review high-risk PRs, tune SAST, run security champions. ### Year 3–5 — Senior AppSec Engineer _Salary: £95k–£130k_ Own appsec programme, build paved-road libraries, lead vuln response, present at internal eng all-hands. ### Year 5+ — Staff / Principal AppSec Engineer _Salary: £130k–£180k+_ Set product security strategy, own bug bounty, represent firm at OWASP/BSides, mentor senior engineers. ## Core skills - OWASP Top 10 + ASVS fluency - Threat modelling (STRIDE, attack trees) - Secure code review in 2+ languages (Python, JS/TS, Go, Java, Rust) - SAST (Semgrep, CodeQL), DAST (Burp Suite Pro), SCA (Snyk, Dependabot) - Authentication and session management (OAuth 2.0, OIDC, JWT pitfalls) - Bug bounty triage and CVSS scoring - Security champions programme design - Developer empathy and code-as-comms ## Recommended certifications - `security-plus` - `oscp` ## First 90 days in the role Ship a Semgrep ruleset with 5–10 high-signal rules for your most-used framework. Threat-model one new high-risk service and present findings to its team. Identify 3 engineering leads who will become your first security champions. ## Common pitfalls Becoming the 'no' team. AppSec engineers who block PRs without offering an alternative get routed around. Build paved roads — secure-by-default libraries, copy-paste examples, and 1:1 office hours.

Frequently asked questions

Do AppSec Engineers need to be developers?

Yes — production coding experience is the differentiator from generalist security engineers. The role asks you to read and write code daily.

OSCP useful for AppSec?

Useful, not essential. More valuable: HackTheBox Academy 'Web Attacks' / 'API Attacks' tracks, plus reading published bug bounty reports daily.

Is the role being absorbed by Platform Security / DevSecOps?

Adjacent but distinct. Platform Security owns CI/CD pipeline hardening and infra-as-code. AppSec owns the application layer.

How big is the UK AppSec market?

Strong and growing — every UK fintech, scale-up, and bank has 2–20 AppSec engineers; ratio is ~1 AppSec per 50–100 developers.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related