Security-aware developers: AppSec needs you!
Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves.
Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.
The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.
That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.
DevSecOps drives nearly every industry
One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security.
An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.
Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.
The cybersecurity skills shortage is getting worse
Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.
The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.
The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.
Making the jump to AppSec
There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.
Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.
Matias Madou, Ph.D.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
Security-aware developers: AppSec needs you!
Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves.
Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.
The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.
That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.
DevSecOps drives nearly every industry
One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security.
An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.
Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.
The cybersecurity skills shortage is getting worse
Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.
The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.
The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.
Making the jump to AppSec
There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.
Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.
