Application security remains a top concern for organizations, making the need for skilled cybersecurity professionals as urgent as ever. Nearly half of security practitioners in high-performing enterprises who participated in a recent Ponemon Institute research report about reducing enterprise security risks stated that hacks to insecure applications are their organization’s biggest concern.
What Kinds of Hacks Concerns Your Organization the Most?
from: Ponemon Institute’s Reducing Enterprise Application Security Risks: More Work Needs to Be Done
The same report showed that nearly 40% of organizations blamed a lack of qualified personnel in describing why it was difficult to remediate vulnerabilities in applications. While it wasn’t the number one reason, it’s clear that organizations are struggling with a cybersecurity skills gap.
The cybersecurity skills shortage has been around for a long time, but it was exacerbated by COVID-19 and the increased need for cybersecurity. The International Information System Security Certification Consortium (ISC)2 estimated in 2020 that there is a need for an additional 3.1 million cybersecurity employees to meet demand, and while that is a drop from the 4-million employee shortage a year ago, it still leaves a significant void in the market.
There are multiple reasons for the shortage. Cybersecurity jobs typically require a 4-year college degree, which means people from low-income families are precluded from a career in cyber. At the same time, Forbes reported in 2019 that of the top 50 US computer science programs, only 42% offered more than three information-security courses.
As a result, organizations find themselves with a shortage of cybersecurity specialists they need to secure their app development.
As the pace of software development and delivery continues to speed up, the traditional separation between developers and security professionals has become a major barrier to the accelerated release of secure software products. Security teams need to be much more involved in the development of software.
This separation, when accompanied by a cybersecurity skills shortage, leads to software releases that lack the necessary security measures to ensure they are protected. Breaking the traditional silos that separate development and security teams requires a large cultural change that organizations will need to embrace.
Organizations find themselves in the unenviable position of requiring a skill set that isn’t readily available in the market. To overcome this security skills gap, organizations must provide development teams with tools and best practices that will enable them to keep their software secure.
These practices will help organizations to develop secure applications at today’s competitive pace of delivery, so that their users can operate with confidence.
Automated application security testing (AST) tools, which can be integrated into the earliest stages of development and used throughout the DevOps pipeline, help ensure security is built into the development.
These AppSec testing tools provide developers with the automated tools they need to address security and allows them to do their jobs without becoming security experts. Advanced AST tools automatically detect security issues, prioritize them, and even automatically remediate them.
We’ve seen organizations’ investment in AST tools increase over the past few years. However, when choosing a tool, organizations should choose an AST solution that can easily integrate into developers’ work processes and environments.
While it may seem obvious, many organizations don’t prioritize their developers’ needs when it comes to application security tools.
This is unfortunate because tools that are not integrated and easy to use oftentimes go unused. Developers need tools that run silently in the background and don’t interfere with their work, that provide them with the information they need at the time and place that they need it. Tools that constantly send notifications, interrupt work, and create additional noise interfere with developers’ work, and ultimately might end up being ignored.
During an employee review, software developers are rated on their ability to churn out software. For most, security is an annoying afterthought that they would rather not deal with.
Developer Security Champions work to change the perception of security within the development team. They bring security issues to the fore, coaching developers and seeing that security best practices are introduced into the developer mindset. They help shift security left, so that security is integrated easily into the development process.
The lack of cybersecurity professionals has created the need for innovative practices and tools that work in concert to ensure that applications aren’t vulnerable to attack. Automated AppSec tools and updated processes will help bridge the cybersecurity skills gap.