Blog

Security-aware developers: AppSec needs you!

Matias Madou, Ph.D.
Published Oct 29, 2021

Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves. 

Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.

The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.

That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.

DevSecOps drives nearly every industry

One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security. 

An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.

Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.

The cybersecurity skills shortage is getting worse

Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.

The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.

The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.

Making the jump to AppSec

There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.

Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.

View Resource
View Resource

Developers are in a great position to make a lucrative jump into AppSec.

Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Matias Madou, Ph.D.
Published Oct 29, 2021

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves. 

Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.

The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.

That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.

DevSecOps drives nearly every industry

One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security. 

An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.

Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.

The cybersecurity skills shortage is getting worse

Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.

The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.

The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.

Making the jump to AppSec

There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.

Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves. 

Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.

The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.

That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.

DevSecOps drives nearly every industry

One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security. 

An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.

Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.

The cybersecurity skills shortage is getting worse

Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.

The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.

The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.

Making the jump to AppSec

There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.

Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.

Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Click on the link below and download the PDF of this one pager.

Download

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
Share on:
Interested in more?

Share on:
Author
Matias Madou, Ph.D.
Published Oct 29, 2021

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

Share on:

Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves. 

Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.

The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.

That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.

DevSecOps drives nearly every industry

One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security. 

An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.

Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.

The cybersecurity skills shortage is getting worse

Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.

The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.

The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.

Making the jump to AppSec

There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.

Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.

Table of contents

View Resource
Interested in more?

Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts