How to become an Application Security Engineer — embedded with engineering, owning SDLC security. £70k–£140k in UK tech.
Production engineering experience in at least one stack.
Threat model new services, review high-risk PRs, tune SAST, run security champions.
Own appsec programme, build paved-road libraries, lead vuln response, present at internal eng all-hands.
Set product security strategy, own bug bounty, represent firm at OWASP/BSides, mentor senior engineers.
Yes — production coding experience is the differentiator from generalist security engineers. The role asks you to read and write code daily.
Useful, not essential. More valuable: HackTheBox Academy 'Web Attacks' / 'API Attacks' tracks, plus reading published bug bounty reports daily.
Adjacent but distinct. Platform Security owns CI/CD pipeline hardening and infra-as-code. AppSec owns the application layer.
Strong and growing — every UK fintech, scale-up, and bank has 2–20 AppSec engineers; ratio is ~1 AppSec per 50–100 developers.
Get a personal gap report, AI Career Twin and practice keyed to your target band.