Application development security is a key task when it comes to looking to the future of cybersecurity. A recent industry study shows it is the fastest-growing cybersecurity skill for the year ahead. Demand is expected to increase by 164% over the next five years. Such growth would bump up the total number of job openings requiring this skill from 29,635 in 2020 to 48,601 a few years from now.
These findings raise important questions. What is application development security? And, what’s driving the rapid growth?
Application Development Security at a Glance
First, this job is about strengthening the defenses of an app by finding and fixing openings. As the name implies, this process most often takes place within the development phase before an app goes into production. But it can occur after the owner has deployed those apps, as well.
There’s not just one approach to looking at application development security, otherwise known as application security testing (AST). The several methods people in this field will probably use include the following:
- Static Application Security Testing (SAST): In this type of web application security testing, the defense experts on the job have some knowledge about an application’s architecture. They can use this knowledge to report weaknesses within the source code.
- Dynamic Application Security Testing (DAST): As opposed to SAST, DAST assumes no knowledge of an application’s code. Its purpose is to find potential openings within a specific app’s running state.
- Interactive Application Security Testing (IAST): This method combines SAST and DAST together into a hybrid approach.
Why the Need for Application Development Security?
The growing demand for application development security reflects two ongoing trends.
1. The world is becoming more mobile. Businesses and other groups invest in their users being able to interact with their services via an app on a variety of devices. Along the way, they need someone with application development security skills to secure those apps in order to ensure consistent and secure mobile performance for a growing portion of their user base.
2. Openings in an app’s defenses erode trust between the creators and the users. Overall, flaws like this are common in mobile apps. Almost three-quarters of iOS and Android apps analyzed for a 2020 study wouldn’t have passed a basic security test. More than four-fifths (83%) of those surveyed apps had at least one flaw, with openings showing up in 91% of iOS apps and 95% of Android apps analyzed in the study.
Keep Your Business Secure
Those holes pose a threat to businesses. Weak server-side controls, unsafe data storage, broken cryptography and other problems open the door for external attackers to scrape information. Potential customers might hesitate to do business with groups that suffered a data breach because of poor application development security. That’s assuming those groups can continue to operate after paying for repairs, paying the legal fees and other damages that come with a breach.
Lastly, some customers aren’t even waiting that long to demand application development security matters. Customers are telling companies whose apps and other products they use to write more secure code before they’ve even faced an attack. In some cases, the pressure supplied by customers dwarfed the pressure provided by regulators and compliance auditors. This shows how application development security is becoming a means by which organizations can maintain trusting partnerships with their customers from the moment they begin doing business together, not just in the aftermath of a publicly disclosed problem.
Best Practices for Developers
Just as the defensive skills most needed by workplaces change, so do the skills themselves. Software composition analysis tools along with limited defense testing built right into developers’ toolchains could replace older AST methods within the next few years. Industry experts predict that automated solutions will be capable of fixing 10% of openings spotted by SAST tools by 2022.
These forecasts provide a glimpse into where application development security as a field is going. But they don’t detract from the basic practices that developers can use on their side to produce secure apps. For instance, developers need to realize there’s rarely a need for them to write their own code from scratch. They don’t have to hope they get defense right. Instead, they can use secure frameworks to power their code forward. They should also make sure they’re using the latest versions of third-party code or libraries.
Developers should remember the power of teamwork, too. They can join forces with security architects and the operations team in order to implement threat modeling. This process won’t just help find and triage potential threats. It also fosters communication and mutual understanding — the foundations of building a DevSecOps culture.
Application Development Security for the Future
Like we said at the top, application development security is the way for organizations to ensure their place in the future. The tools and methods for putting application security in place might change, but the basics of security will remain relevant throughout the next few years and beyond.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...