Application security – understanding the human capability issue

Despite being a problem with software, application security has always been a human capability issue.

Applications are built by teams of people. Any vulnerabilities exploited by attackers in the end-product are ultimately a result of a deficit of cyber knowledge, skills and judgment in the build process.

Because of this, the industry has agreed for some time on the importance of upskilling development teams so applications and services can be built secure from the outset – prevention rather than cure.

Our inaugural Cyber Workforce Benchmark set out to analyze some of the trends we see in the data collected by our platform.

One thing we found was that development teams seemingly build human capabilities at a much quicker pace than cybersecurity team counterparts.

While speed doesn’t necessarily mean better, it is interesting to note that 78% of all application security skills are developed faster than the expected complete times by AppSec teams, compared to just 11% of cybersecurity labs. AppSec labs were completed an average 2.5 minutes under the projected time, while cybersecurity labs are 17 minutes over.

Organizations must embrace this desire for developers to build cyber knowledge, skills and judgment at pace and provide them with quick and engaging capability development tasks ring-fenced from time in the SDLC.

In this way, application security becomes an organic process – embedded in the team and present in every dev cycle – as opposed to something which is a drag on innovation.

To take a deeper dive into our report’s AppSec findings, which outlines what human capabilities are mostly commonly developed, as well as an analysis of OWASP, encryption and testing skills, click here.

Sean Wright
Principal Application Security Engineer