- Author | yannichen
- Source| FreeBuf****
- Release time|2021-03-19
When we talk about the future of network security, application development security is an inevitable link.
A recent industry study shows that it is the fastest growing cybersecurity skill in the past year. It is estimated that in the next five years, the demand for application security development skills will increase by 164%. Correspondingly, the total number of vacancies for this position will rise from 29,635 in 2020 to 48,601 in a few years.
So, what exactly is application development security skills? What are the reasons for its rapid growth?
What are the skills for application development security?
First of all, application development security skills are to strengthen the defense capabilities of applications by finding and fixing vulnerabilities. This process is usually in the development stage before the application goes live, but sometimes it is also required after the application goes live.
In addition to application security testing (AST), application development security skills include the following:
- Static Application Security Testing (SAST). This method requires the defender to have a certain understanding of the application architecture. They can use this knowledge to report weaknesses in the source code.
- Dynamic Application Security Testing (DAST). Contrary to SAST, DAST assumes that the defender has no knowledge of the application code, and its purpose is to find potential vulnerabilities in the running state of the application.
- Interactive Application Security Testing (IAST). This method combines both SAST and DAST.
Why do you need application development security skills?
The growing demand for application development security skills reflects two continuing trends.
-
The world is becoming more mobile. Enterprises and institutions invest more on mobile devices, and users are more accustomed to obtaining services on the mobile side. In this process, companies need people with application development security skills to protect application security to ensure that they provide secure mobile performance to a large user base.
-
Vulnerabilities in application defense systems can weaken trust between users and developers. Such vulnerabilities are common in mobile applications. Nearly three-quarters of the iOS and Android applications studied and analyzed in 2020 did not pass basic security tests. More than four-fifths (83%) of the surveyed apps have at least one vulnerability, and 91% of iOS apps and 95% of Android apps in the study have vulnerabilities
Ensure business security
These vulnerabilities pose a threat to the enterprise. Weak server-side control, insecure data storage, and compromised passwords are equivalent to opening the door for external attackers to steal information.
Potential customers may hesitate to cooperate with companies that have poor application development security and have suffered data breaches. Of course, the prerequisite for cooperation is that the company can continue to operate after it has withstood the payment of maintenance costs, legal fees and other losses caused by leaks.
What's more, some customers may not have time to wait for you to deploy application development security. Customers may say that the apps and companies that they worked with previously wrote more secure code before they faced an attack. In some cases, the pressure brought by customers is comparable to the pressure brought by regulatory compliance agencies.
This shows that application development security is becoming a means to help companies maintain trust at the initial stage of cooperation with customers, rather than after the problem is publicly disclosed and causing adverse consequences.
Best practices for developers
The defensive skills required in the work environment will also change over time. The software component analysis tools and defensive tests built into the developer's tool chain may replace the old AST method in the next few years.
Industry experts predict that by 2022, automated solutions will be able to repair 10% of the vulnerabilities found by SAST tools.
These predictions show the development trend of application development security as a field. But they do not affect the basic practices that developers can use when developing secure applications. For example, developers need to realize that they rarely need to write code from scratch. They don't need to demand that they do their defensive work. Instead, they can use a security framework to promote code progress. They should also make sure that they are using the latest version of third-party code or libraries.
Developers should also value the power of teamwork. They can work with security architects and operations teams to conduct security threat drills. This process not only helps to discover and divert potential threats, but also promotes communication and mutual understanding, which is the foundation for establishing a DevSecOps (development, security, and operation) culture.
Future-oriented application development security
As we said earlier, application development security is one of the elements of the future survival of an enterprise. The tools and methods that put application security in place may change, but the basic elements of security will remain relevant in the coming years and beyond.
