Thanks to several recent high-profile incidents and reported vulnerabilities, application security remains a major concern for businesses and government agencies alike. A report released by Gartner in October found that software development lifecycle attacks (SDLC) affected about 61 percent of U.S. businesses between April 2022 and 2023.
To counter these attacks and improve security around the software supply chain, the Biden administration and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have published a series of guidelines called “Secure by Design.” These principles are designed to encourage application vendors and software manufacturers to build security into their apps, putting more responsibility on the industry rather than end-users and consumers.
While the guidelines (now a year old) are voluntary for the private industry, CISA and the Office of Management and Budget are creating rules for government federal contractors to develop secure applications for use by the U.S. government.
Finding skilled tech workers who can help execute and enforce these guidelines, whether in the public or private sector, is proving difficult.
The ISC2 Cybersecurity Workforce Study found that 26 percent of respondents reported a skills gap at their organizations in application security. In addition, 23 percent of those surveyed believe application security skills will become the most in-demand skills for security pros who want to advance their careers and seek promotions.
A significant issue to overcome, according to cybersecurity experts and industry insiders, is the cultural gap between developer teams and security teams, and what each means to their particular organization.
"The biggest barrier is the cultural and procedural separation between development and security teams. Traditionally, developers focus on functionality, performance and meeting deadlines, with security often considered later in the process, if at all,” said Larry Pesce, director of research and analysis at security firm Finite State. “This can lead to poor programming practices, resulting in vulnerabilities that are costly and complex to address later on.”
For tech and security pros interested in exploring this intersection of cybersecurity and application developments, industry experts note that many organizations still operate with security and developer teams with different missions and goals. As Secure by Design becomes more acceptable, however, tech pros can apply certain skills to help them along this career path—and provide them with opportunities.
Overcoming the Developer and Cyber Divide
While DevSecOps and incorporating security practices into the development cycle concepts have gained traction over the last several years, experts and insiders noted that Secure by Design needs more time to build momentum among organizations. Government agencies required by law to follow the guidelines might see faster adoption.
Part of the problem with adopting this approach is getting the necessary buy-in from multiple stakeholders. Tech pros interested in improving the development process should take the time to become familiar with the Secure by Design guidelines and try to implement those where possible, said Scott Gerlach, co-founder and CSO at StackHawk.
“Organizations outside the government currently lack incentives to prioritize Secure by Design. Effective implementation requires buy-in from leadership across the development, security and executive departments,” Gerlach told Dice. “Unfortunately, many attempts at [Secure by Design] implementations result in hindering the pace of delivery—ultimately impacting time-to-market—and are often circumvented or abandoned. However, there is potential for success if approached collaboratively by development and security teams to optimize both efficiency and security in delivery processes.”
Another stumbling block enterprises encounter when it comes to Secure by Design is the organization’s infrastructure, especially how best to bring modern cybersecurity practices in line with legacy systems that can host mission-critical applications, noted Jason Soroko, senior vice president of product at Sectigo.
“Challenges also stem from the complexity of modern systems and the difficulty in integrating security into legacy systems,” Soroko told Dice. “Addressing these issues requires not only more skilled cybersecurity professionals but also a fundamental shift in corporate culture to prioritize security throughout the product lifecycle.”
While hiring additional tech talent skilled in security and software development can help bridge this gap, a more comprehensive solution involves rethinking organizational structures, processes and tools that can help integrate secure coding practices and robust testing from the outset, Pesce added.
“Industry-wide, the lack of standardized, well-documented secure coding practices further complicates this issue,” Pesce told Dice. “Software development teams are often left to create their own practices that may only be partially effective.”
Getting Ready for Secure By Design
While organizations need time to adjust to embracing a Secure by Design outlook, individual tech and security pros can start preparing now. As the ISC2, more hiring managers see application security skills as a must-have over the next several years.
“This is an opportunity for ISC2 members—and other professionals—to increase their skills and demonstrate their expertise in secure technology development and lifecycle management,” ISC2 CEO Clar Rosso noted in a statement.
Other experts point to similar trends, especially as organizations place more emphasis on supply chain security to prevent attacks and address application vulnerabilities.
“In the current job market, where hiring may be slow, the demand for professionals skilled in both development and security continues to grow. This trend underscores a significant shift towards more interdisciplinary roles in technology,” Pesce added. “Companies are recognizing the importance of secure design with the increasing adoption of software security tools like the [software bill of materials]. They're prioritizing candidates who can contribute to this aspect of development.”
For tech pros interested in this field and looking to advance their career, the most challenging part is knowing enough about coding to develop effective applications and understanding how to use cybersecurity best practices to avoid inserting vulnerabilities into that process.
“Strong programming skills are a must-have—along with an understanding of secure coding principles and common vulnerabilities. Security awareness encompasses knowledge of security threats and best practices for identifying and addressing risks,” Sarah Jones, cyber threat intelligence research analyst at Critical Start, told Dice. “Experience with secure development tools and effective communication skills are also valuable assets.”
The ideal balance between these skills depends on the specific role, Jones added. For example, entry-level developers might need a strong programming foundation and a willingness to learn secure coding, while security engineers require deep security knowledge and experience with security tools.
Full-stack developers, on the other hand, would ideally possess a balance of both.
For Saumitra Das, vice president of engineering at Qualys, developers and cybersecurity pros should work on deepening their skills that allow for a more holistic approach to application security.
“Developers may not have enough training, or if they do, it is specific to some language and may not apply to the infrastructure. For example, the developer may make his code secure but deploy it on the cloud in an insecure way,” Das told Dice. “The security side tends to focus too much on SLA and outputs of code scanning tools, which usually have large numbers of alerts with no context. This leads to fatigue on both sides. Integrating co-pilot tools and having developers become more secure at an early stage will help here.”
Developing Skills Now
There are steps that tech professionals can take now to help them better understand Secure by Design and application security.
A starting point for tech pros requires reading the recently released U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0. With the addition of a 'Govern' function in the updated version, tech pros can better understand what it takes to establish clear cybersecurity governance and policies to guide secure development practices.
“By integrating 'Govern' principles, organizations can better align security objectives with development processes, ensuring security experts are involved early and throughout, which bridges the skills gap on both the developer and security sides,” Soroko noted.
In addition, ISC2 released a new certification, Certified Secure Software Lifecycle Professional (CSSLP), which offers training on building security into development work.
“As cyber threats become more sophisticated, the demand for secure software will only grow. While awareness is rising, regulations are still catching up,” Critical Start’s Jones said. “This focus on secure by design highlights a specific skill set in high demand even in a slow hiring market. Professionals with expertise in secure development have a strong advantage.”