Application Security

Lack of Professionals in AppSec

In the past years, not only the AppSec area but also all the IT area has suffered from exponential growth which increases the demand and also the lack of specialized professionals in AppSec.

We are nearing the end of another year, and as every year we begin to take stock of what happened in this one to project what we want in the next.

In companies this is no different, everyone starts to start their planning for the next year and as with any expansion planning or improvement in their products, some points are always more observed than others.

In our case, applications, in companies the search for new talent begins and also the reality of the market begins, lacking good and qualified professionals to take the positions offered.

With the lack of these professionals, those who stand out in the market are increasingly valued, increasing the difficulty of companies in finding professionals.

But why does this happen? What are the factors that lead the market to have this great shortage of professionals?

In this article, we will put some data that can help identify these reasons and show practitioners that qualifying more and more has its benefits.

The AppSec Market

Thus, we can project a more realistic scenario.

As much as anyone in the marketplace perceives a lack of professionals or even a lack of necessary skills and knowledge, we do not have research that validates this data.

This way, we will use much of our observation as well as some data that we have access to the external market of Cybersecurity, so we can draw a slightly more realistic scenario.

In the domestic market, we have a large movement of development professionals among the most diverse companies, this is not surprising as we are increasingly moving to a more digital market and world.

The point is that even with all this searching and scenario switching, we still see development professionals without basic knowledge of safe development best practices.

The question remains:  Why even with all this scenario of professional need, we still have this knowledge gap?

Offer and Demand of specialized professionals in the AppSec market

Well, we don’t have much data from the domestic market to help with this answer, but from what we have seen in our market time, it seems to us that our developers are more concerned with staying in the market for lack of professionals than for technical skills and knowledge.

In interviews with clients and the market in general, we noticed that the complaint of managers by professionals with more knowledge than expected as basic to the profession is widespread.

However, Improving developer skills more focused on AppSec or even DevSecOps should also be a corporate mission but it seems they don’t understand it that way.

So, what we have in our AppSec market today is a widespread lack of professionals who have the necessary knowledge to build secure applications. 

In our experience, nothing demonstrates this more than the simple question: Do you know OWASP

Believe it or not, in a class of over 40 people, sometimes we are very lucky to find 3 or 4 who already know.

This is important data because, for web developers, OWASP should be a basic source of knowledge.

What do surveys indicate about specialized professionals in AppSec market?

Even if the data analyzed are taken from research outside Brazil, they may still bear a great resemblance to our market, as technology as we use it here is also true abroad.

However, we have to continue to align a concept that is used in international research, which for the Brazilian scenario can make a certain difference.

For the foreign market, the term cybersecurity is used to determine professionals who work with the entire protection cycle of a business, and this also involves development professionals.

Having aligned this, we can continue the process of evaluating data from the survey conducted every year by Enterprise Strategy Group – ESG.

ESG is a company that conducts research with IT professionals to try to understand how the professional sees the market and how the market sees the professional.

Lack of knowledge by AppSec professionals

In the 2018-2019 survey, last conducted by the company we have again pointed at the top of the list of negative points, the lack of knowledge in cybersecurity of professionals.

However, this data is not new, we have already followed in recent reports this topic is one of the most frequent as we can see in the list below.

  • 2018-2019: 53% Point out cybersecurity skills issues
  • 2017-2018: 51%  Point out cybersecurity skills issues
  • 2016-2017: 45% Point out cybersecurity skills issues
  • 2015-2016: 42% Point out cybersecurity skills issues

These data are reinforced by the observations found by Gartner analysts in their article and have identified in their key points that:

By the time the need for new cybersecurity skills is fully obvious, it is often too late to develop a plan of action; the organization has already been left exposed to active threats for some time.

This is clear to us since we have the chance to observe this reality in our services.

Lack of secure development trainings in the AppSec market

We realize that the importance of the safe development process is only given or when something serious happens or when training is needed to justify compliance.

This point is reinforced by ESG research data showing that for most professionals, companies are not offering training that is relevant to their real needs.

pizza graphic about AppSec professionals opinion - companies are not providing training to keep up with the market challenges

In the graph above, we can perceive that 63% of professionals consider the training offered by companies do not refer to the level of knowledge necessary to prevent risks in a cybersecurity area.

As if that were no longer alarming, in the same survey of 2018, 83% of companies did not act to provide appropriate training to their cybersecurity teams.

This value of 83% is higher than that found in the survey in previous years. It seems that the scenario has gotten worse.

Therefore we are not learning from our mistakes.

Then, it was a thought in this manner that we wrote an article outlining our arguments for placing the need for more attention to the training process. 

Above all, not only because of compliance but also the need to keep professionals up to date.

Lack of Vision in the AppSec market

However, we have an interesting point when compared to research by Gartner on the intention to increase cybersecurity teams.

In this other article, Gartner shows us that companies have a strong intention to increase their staff, but with the data from the ESG Survey, how is this increase if knowledge is primarily lacking?

research about increasing stakk intentions of Cybersecurity Managers

Though, it is a non-clear equation. 

On the one hand, we have managers wanting and seeking to increase their security staff, and here it is understood that there is also the search to improve the security of their applications.

On the other hand, a small part of these managers seeks to increase the knowledge of these same staff.

This data is reinforced when we realize that one of the smallest parts of companies’ budgets is tied to training, leaving a large chunk to purchase and renew tools.

Therefore, it needs to quickly review the priorities for what is planned within companies.

How can we improve the offer and demand of AppSec professionals?

We strongly believe in education, and this is one of the foundations we seek best every day.

However, we believe that this should also be one of the key points companies should have in setting up their planning for the beginning of each year.

Including training in your planning, performing it in a conscious way and fomenting knowledge acquisition is a fundamental point for companies to start looking for better results when talking about Application Security — a key point in reducing application risks.

However, we also understand that this movement is not only the responsibility of companies: professionals have a great responsibility for this result.

There are great sources of browsing and research to have quality material.

Searching for safety knowledge and best practices should be a goal shared by both the company and each of the professionals seeking to maintain and improve their careers.

Thinking about where to start? How about getting to know OWASP?

New call-to-action

About author


Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Finding classes for exploiting Unsafe Reflection / Unchecked Class Instantiation vulnerabilities in Java with Joern

During a pentest engagement we found a Java application vulnerable to unsafe reflection [1]. This…
Read more
Application Security

Mitigating Vulnerabilities: Elevating Security Proficiency in Software Development

In the ever-evolving digital landscape, the significance of software security cannot be overstated.
Read more
Application Security

The Importance of Supply Chain to Application Security

When we think about software development, we usually think about complex technical concepts…
Read more

Deixe um comentário