AppSec industry is at a turning point. Although there is high demand, experienced professionals struggle to find suitable jobs. Companies face challenges securing their software within limited budgets. To lead the way, AppSec professionals will need strong abilities to drive cultural change. What will drive the future of AppSec?
DevSecOps and broken expectations
AppSec (Application Security) industry is currently facing some interesting challenges. In my opinion, the industry has not matured as quickly as expected (just remember all this DevSecOps boom back in 2010-2014).
Right now, we are experiencing a misalignment of demand and supply. Experienced and high-paid professionals struggle to find suitable opportunities. Companies can’t find resources within their current budget limitations.
There is also a gap in software security practices due to the current state of the market and its maturity.
- The startup sector, which has attracted numerous AppSec professionals during the 2020-2021 tech boom, is now heavily impacted (just think of Spotify, Shopify, Niantic, or Meta layoffs).
- The mid-market is a bit stuck at the beginning of its cybersecurity journey, with software security often lagging behind other areas such as governance, risk, code assurance, and incident response.
- Large companies still operate under a project-based operating model, which turns AppSec activities into point-in-time assessments and not really continuous improvement.
AppSec professionals struggle
In addition to the context of an economic downturn, there is a growing mutual frustration caused by siloed software, DevOps, and security teams. Unfortunately, some companies make the decision to lay off their most recent staff members who joined the company. Theses layoffs include cybersecurity team and DevSecOps professionals.
On the other hand, there is a lack of strong support for the shift-left culture and insufficient visibility from leadership, resulting in a failure to measure the return on investment (ROI) for Application Security (AppSec).
Also, developers who assume security responsibilities, the famous “Security Champions,” play a crucial role. They help to move security left, putting focus on AppSec earlier in the development process. However, this approach can result in the dismissal of expensive security professionals when cost-cutting measures come into play.
What’s next for AppSec?
In the ever-changing landscape of Application Security, a slow transformative shift is taking place, and this is what I see coming next:
- AppSec will evolve from training and consulting to building secure platforms and processes.
- Platforms and tools will actually scale better than people, allowing for the removal of entire bug classes, providing identity/authentication mechanisms, and built-in security guarantees.
- We will see more and more intuitive, cost-effective, and AI-powered security tools developed by startups, allowing developers to secure their code without needing to rely on AppSec consultants.
There will be a solid demand for AppSec professionals in leadership roles who are able to position themselves at the intersection of three skills: 50% cultural change, 25% software engineering, and 25% cybersecurity.