Application development security is a key task when it comes to looking to the future of cybersecurity. A recent industry study shows it is the fastest-growing cybersecurity skill for the year ahead. Demand is expected to increase by 164% over the next five years. Such growth would bump up the total number of job openings requiring this skill from 29,635 in 2020 to 48,601 a few years from now.

These findings raise important questions. What is application development security? And, what’s driving the rapid growth?

Application Development Security at a Glance

First, this job is about strengthening the defenses of an app by finding and fixing openings. As the name implies, this process most often takes place within the development phase before an app goes into production. But it can occur after the owner has deployed those apps, as well.

There’s not just one approach to looking at application development security, otherwise known as application security testing (AST). The several methods people in this field will probably use include the following:

  • Static Application Security Testing (SAST): In this type of web application security testing, the defense experts on the job have some knowledge about an application’s architecture. They can use this knowledge to report weaknesses within the source code.
  • Dynamic Application Security Testing (DAST): As opposed to SAST, DAST assumes no knowledge of an application’s code. Its purpose is to find potential openings within a specific app’s running state.
  • Interactive Application Security Testing (IAST): This method combines SAST and DAST together into a hybrid approach.

Why the Need for Application Development Security?

The growing demand for application development security reflects two ongoing trends.

1. The world is becoming more mobile. Businesses and other groups invest in their users being able to interact with their services via an app on a variety of devices. Along the way, they need someone with application development security skills to secure those apps in order to ensure consistent and secure mobile performance for a growing portion of their user base.

2. Openings in an app’s defenses erode trust between the creators and the users. Overall, flaws like this are common in mobile apps. Almost three-quarters of iOS and Android apps analyzed for a 2020 study wouldn’t have passed a basic security test. More than four-fifths (83%) of those surveyed apps had at least one flaw, with openings showing up in 91% of iOS apps and 95% of Android apps analyzed in the study.

Keep Your Business Secure

Those holes pose a threat to businesses. Weak server-side controls, unsafe data storage, broken cryptography and other problems open the door for external attackers to scrape information. Potential customers might hesitate to do business with groups that suffered a data breach because of poor application development security. That’s assuming those groups can continue to operate after paying for repairs, paying the legal fees and other damages that come with a breach.

Lastly, some customers aren’t even waiting that long to demand application development security matters. Customers are telling companies whose apps and other products they use to write more secure code before they’ve even faced an attack. In some cases, the pressure supplied by customers dwarfed the pressure provided by regulators and compliance auditors. This shows how application development security is becoming a means by which organizations can maintain trusting partnerships with their customers from the moment they begin doing business together, not just in the aftermath of a publicly disclosed problem.

Best Practices for Developers

Just as the defensive skills most needed by workplaces change, so do the skills themselves. Software composition analysis tools along with limited defense testing built right into developers’ toolchains could replace older AST methods within the next few years. Industry experts predict that automated solutions will be capable of fixing 10% of openings spotted by SAST tools by 2022.

These forecasts provide a glimpse into where application development security as a field is going. But they don’t detract from the basic practices that developers can use on their side to produce secure apps. For instance, developers need to realize there’s rarely a need for them to write their own code from scratch. They don’t have to hope they get defense right. Instead, they can use secure frameworks to power their code forward. They should also make sure they’re using the latest versions of third-party code or libraries.

Developers should remember the power of teamwork, too. They can join forces with security architects and the operations team in order to implement threat modeling. This process won’t just help find and triage potential threats. It also fosters communication and mutual understanding — the foundations of building a DevSecOps culture.

Application Development Security for the Future

Like we said at the top, application development security is the way for organizations to ensure their place in the future. The tools and methods for putting application security in place might change, but the basics of security will remain relevant throughout the next few years and beyond.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…