Application development security is a key task when it comes to looking to the future of cybersecurity. A recent industry study shows it is the fastest-growing cybersecurity skill for the year ahead. Demand is expected to increase by 164% over the next five years. Such growth would bump up the total number of job openings requiring this skill from 29,635 in 2020 to 48,601 a few years from now.

These findings raise important questions. What is application development security? And, what’s driving the rapid growth?

Application Development Security at a Glance

First, this job is about strengthening the defenses of an app by finding and fixing openings. As the name implies, this process most often takes place within the development phase before an app goes into production. But it can occur after the owner has deployed those apps, as well.

There’s not just one approach to looking at application development security, otherwise known as application security testing (AST). The several methods people in this field will probably use include the following:

  • Static Application Security Testing (SAST): In this type of web application security testing, the defense experts on the job have some knowledge about an application’s architecture. They can use this knowledge to report weaknesses within the source code.
  • Dynamic Application Security Testing (DAST): As opposed to SAST, DAST assumes no knowledge of an application’s code. Its purpose is to find potential openings within a specific app’s running state.
  • Interactive Application Security Testing (IAST): This method combines SAST and DAST together into a hybrid approach.

Why the Need for Application Development Security?

The growing demand for application development security reflects two ongoing trends.

1. The world is becoming more mobile. Businesses and other groups invest in their users being able to interact with their services via an app on a variety of devices. Along the way, they need someone with application development security skills to secure those apps in order to ensure consistent and secure mobile performance for a growing portion of their user base.

2. Openings in an app’s defenses erode trust between the creators and the users. Overall, flaws like this are common in mobile apps. Almost three-quarters of iOS and Android apps analyzed for a 2020 study wouldn’t have passed a basic security test. More than four-fifths (83%) of those surveyed apps had at least one flaw, with openings showing up in 91% of iOS apps and 95% of Android apps analyzed in the study.

Keep Your Business Secure

Those holes pose a threat to businesses. Weak server-side controls, unsafe data storage, broken cryptography and other problems open the door for external attackers to scrape information. Potential customers might hesitate to do business with groups that suffered a data breach because of poor application development security. That’s assuming those groups can continue to operate after paying for repairs, paying the legal fees and other damages that come with a breach.

Lastly, some customers aren’t even waiting that long to demand application development security matters. Customers are telling companies whose apps and other products they use to write more secure code before they’ve even faced an attack. In some cases, the pressure supplied by customers dwarfed the pressure provided by regulators and compliance auditors. This shows how application development security is becoming a means by which organizations can maintain trusting partnerships with their customers from the moment they begin doing business together, not just in the aftermath of a publicly disclosed problem.

Best Practices for Developers

Just as the defensive skills most needed by workplaces change, so do the skills themselves. Software composition analysis tools along with limited defense testing built right into developers’ toolchains could replace older AST methods within the next few years. Industry experts predict that automated solutions will be capable of fixing 10% of openings spotted by SAST tools by 2022.

These forecasts provide a glimpse into where application development security as a field is going. But they don’t detract from the basic practices that developers can use on their side to produce secure apps. For instance, developers need to realize there’s rarely a need for them to write their own code from scratch. They don’t have to hope they get defense right. Instead, they can use secure frameworks to power their code forward. They should also make sure they’re using the latest versions of third-party code or libraries.

Developers should remember the power of teamwork, too. They can join forces with security architects and the operations team in order to implement threat modeling. This process won’t just help find and triage potential threats. It also fosters communication and mutual understanding — the foundations of building a DevSecOps culture.

Application Development Security for the Future

Like we said at the top, application development security is the way for organizations to ensure their place in the future. The tools and methods for putting application security in place might change, but the basics of security will remain relevant throughout the next few years and beyond.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read