March 9, 2021 By David Bisson 3 min read

Application development security is a key task when it comes to looking to the future of cybersecurity. A recent industry study shows it is the fastest-growing cybersecurity skill for the year ahead. Demand is expected to increase by 164% over the next five years. Such growth would bump up the total number of job openings requiring this skill from 29,635 in 2020 to 48,601 a few years from now.

These findings raise important questions. What is application development security? And, what’s driving the rapid growth?

Application Development Security at a Glance

First, this job is about strengthening the defenses of an app by finding and fixing openings. As the name implies, this process most often takes place within the development phase before an app goes into production. But it can occur after the owner has deployed those apps, as well.

There’s not just one approach to looking at application development security, otherwise known as application security testing (AST). The several methods people in this field will probably use include the following:

  • Static Application Security Testing (SAST): In this type of web application security testing, the defense experts on the job have some knowledge about an application’s architecture. They can use this knowledge to report weaknesses within the source code.
  • Dynamic Application Security Testing (DAST): As opposed to SAST, DAST assumes no knowledge of an application’s code. Its purpose is to find potential openings within a specific app’s running state.
  • Interactive Application Security Testing (IAST): This method combines SAST and DAST together into a hybrid approach.

Why the Need for Application Development Security?

The growing demand for application development security reflects two ongoing trends.

1. The world is becoming more mobile. Businesses and other groups invest in their users being able to interact with their services via an app on a variety of devices. Along the way, they need someone with application development security skills to secure those apps in order to ensure consistent and secure mobile performance for a growing portion of their user base.

2. Openings in an app’s defenses erode trust between the creators and the users. Overall, flaws like this are common in mobile apps. Almost three-quarters of iOS and Android apps analyzed for a 2020 study wouldn’t have passed a basic security test. More than four-fifths (83%) of those surveyed apps had at least one flaw, with openings showing up in 91% of iOS apps and 95% of Android apps analyzed in the study.

Keep Your Business Secure

Those holes pose a threat to businesses. Weak server-side controls, unsafe data storage, broken cryptography and other problems open the door for external attackers to scrape information. Potential customers might hesitate to do business with groups that suffered a data breach because of poor application development security. That’s assuming those groups can continue to operate after paying for repairs, paying the legal fees and other damages that come with a breach.

Lastly, some customers aren’t even waiting that long to demand application development security matters. Customers are telling companies whose apps and other products they use to write more secure code before they’ve even faced an attack. In some cases, the pressure supplied by customers dwarfed the pressure provided by regulators and compliance auditors. This shows how application development security is becoming a means by which organizations can maintain trusting partnerships with their customers from the moment they begin doing business together, not just in the aftermath of a publicly disclosed problem.

Best Practices for Developers

Just as the defensive skills most needed by workplaces change, so do the skills themselves. Software composition analysis tools along with limited defense testing built right into developers’ toolchains could replace older AST methods within the next few years. Industry experts predict that automated solutions will be capable of fixing 10% of openings spotted by SAST tools by 2022.

These forecasts provide a glimpse into where application development security as a field is going. But they don’t detract from the basic practices that developers can use on their side to produce secure apps. For instance, developers need to realize there’s rarely a need for them to write their own code from scratch. They don’t have to hope they get defense right. Instead, they can use secure frameworks to power their code forward. They should also make sure they’re using the latest versions of third-party code or libraries.

Developers should remember the power of teamwork, too. They can join forces with security architects and the operations team in order to implement threat modeling. This process won’t just help find and triage potential threats. It also fosters communication and mutual understanding — the foundations of building a DevSecOps culture.

Application Development Security for the Future

Like we said at the top, application development security is the way for organizations to ensure their place in the future. The tools and methods for putting application security in place might change, but the basics of security will remain relevant throughout the next few years and beyond.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today