Security-aware developers: AppSec needs you!
Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves.
Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.
The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.
That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.
DevSecOps drives nearly every industry
One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security.
An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.
Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.
The cybersecurity skills shortage is getting worse
Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.
The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.
The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.
Making the jump to AppSec
There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.
Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves.
Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.
The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.
That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.
DevSecOps drives nearly every industry
One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security.
An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.
Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.
The cybersecurity skills shortage is getting worse
Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.
The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.
The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.
Making the jump to AppSec
There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.
Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.
Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves.
Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.
The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.
That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.
DevSecOps drives nearly every industry
One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security.
An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.
Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.
The cybersecurity skills shortage is getting worse
Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.
The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.
The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.
Making the jump to AppSec
There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.
Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
Although it may seem counterintuitive to anyone working outside of software development, many of the professionals employed in application security over the years have worked in those critical roles with little or no programming experience. These AppSec professionals are part of the team that is responsible for making sure that no vulnerabilities creep into the applications that have become the lifeblood of many industries and organizations, and yet few of them can actually directly evaluate or fix the code themselves.
Instead of coming from a coding background, many security professionals approach their roles from the perspective of key knowledge around attack vectors, threats, exploits, and business risk; they have a limited view of code. While not every AppSec guru has the same skillset, a typical day for many involves working with code reviewers and scanning tools to ensure that programs and systems are secured according to organizational standards, or relevant industry and government frameworks. They then write up reports about their findings, and send back information on the attack vector that may break the code. It is then up to developers to make necessary fixes, no matter how disruptive it may be to current work.
The reason the situation developed this way is because the prevailing logic over the years was that the job of protecting networks and applications was so vast, that it didn’t make sense to expect everyone working in cybersecurity to perform every role. Deep coding skills were left to the developers, and little value was placed on the ability to write or edit code farther down the development pipeline.
That mindset is changing fast, and that presents a unique opportunity for developers to make the lucrative jump and career shift into AppSec. Not every developer will want to embrace the so-called dark side, and many developers aren’t particularly positive in their opinions regarding AppSec teams. But for those who do, there has never been a better time to grab that increasingly tempting brass ring.
DevSecOps drives nearly every industry
One of the biggest factors in elevating the value of security-aware programmers and developers in any organization, is the almost universal move to embrace more agile development practices like DevSecOps. When development, security, and operations are combined, cybersecurity becomes a shared responsibility integrated into the development of new software from end to end. In that environment, the ability to code is increasingly being seen as a valuable asset across the board, and this is especially true for engineers who also inherently understand security.
An AppSec professional who not only understands cybersecurity at a high level, but also the code that makes everything work, is inherently more valuable to any organization than someone whose knowledge is concentrated on the theoretical. Being able to quickly discover and evaluate vulnerabilities found within code, and then mitigate those problems, is at the core of why DevSecOps is seeing such popularity.
Developers working in AppSec also bring another big advantage to any organization that employs them. Coming from the development side of the house makes it easy for them to talk with developers about security and vulnerabilities. It also makes it much easier to become coaches for the development teams, helping them to become better coders. Over time, they might even be able to remove the “dark side” stigma from AppSec and help to unify teams within software development across an organization.
The cybersecurity skills shortage is getting worse
Shakespeare mused that it’s an ill wind that blows nobody any good. What he meant was that even the darkest situation probably benefits someone. The cybersecurity skills shortage is a great example of this.
The shortage of personnel is being felt acutely almost everywhere. In a recent survey conducted by the Center for Strategic and International Studies, 82% of IT decision-makers said their organizations suffered from a shortage of cybersecurity skills, and 71% said that the shortage had resulted in direct and measurable damage to their organizations. To put this crisis in an even better perspective, the report pointed out that just in the United States alone, there were more than 520,000 unfilled cybersecurity jobs in 2020 for a field where only about 940,000 are employed.
The cybersecurity personnel shortage is bad news for organizations trying to protect their infrastructure, business and data from an increasingly dangerous threat landscape. But it makes a good opportunity for developers looking to get into AppSec and security. Chances are, that cybersecurity and AppSec positions are available almost everywhere. And with cybersecurity positions taking an average of 21% more time to fill these days, salaries are rising across the board.
Making the jump to AppSec
There may never be a better time for developers to make the lucrative jump to the sunny security side of life. Security-aware developers are no longer seen as just part of a stopgap security method, but are instead filling out a full and respected role as cybersecurity defenders. This is especially true for organizations that have embraced DevSecOps and other more agile development methodologies. And the cybersecurity talent shortage means that positions are available at nearly every company, government agency or organization. Those with the right skills can pick and choose where they want to work.
Moving to AppSec may not be for everyone, and of course, most developers will remain focused on building amazing features. But for those who are considering making the jump, investing in security training to augment their existing coding skills can open up a lot of doors. The best AppSec people come out of engineering, because they deeply understand the tech and have empathy for the plight of their fellow developers. DevSecOps means that everyone is now responsible for security anyway, so why not take advantage of the current critical skills shortage to advance your career into application security? There has never been a better time to make a positive move for yourself, your family, and your career.
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.