Nuff' Said - The Numbers
It is now pretty common knowledge that there is a deficit in InfoSec professionals - application security in particular. A Capgemini study on InfoSec talent states that there is a 25 percent gap between the supply and demand for security professionals. This trend will only continue to widen. By 2021, according to a Cybersecurity Ventures report, there will be a shortfall of required InfoSec professionals by 3.5 million.
Additionally, most college degree programs are no way in sync with the current and future market demands from security engineering teams. According to the Global Skills Survey by Veracode, about 70% of survey respondents stated that the new graduates did not receive adequate training for what their current positions required. A large part of information security is understanding new technology. If the new graduates are not trained on how to be in sync with the market demands, their hard earned degrees are pretty much staring the tube.
Challenges and Implications to the DevSecOps community
The whole concept of DevSecOps relies on the agility of application development and security teams in integrating security as part of the development pipeline; a.k.a “shifting security left”. In such environments, security is pretty much everyone's responsibility, more so with developers. With the current shortage of skills around, bringing agility and security as part of DevSecOps becomes an uphill battle.
The Veracode survey, as mentioned above, identified the biggest challenge of DevOps is to find experts with a balanced combination of technical skills and interpersonal skills required “to support a fast-paced and collaborative CD environment.” This talent shortage hampers companies' growth and transformation by impacting their competitive advantage, as mentioned in a Capgemini report on Digital Talent Gap. This effect is more pronounced in teams that rely heavily on new technology for their business growth.
Adding to this stress is the skill redundancy of the current workforce. Integrating security as part of the CI/CD pipeline requires a good grasp of security principles and tooling skills. Most “conventionally trained” security professionals are lacking in these skills, which is set to become redundant over the next 3 to 5 years.
Professionals who possess these necessary skills are far and few in number and come with a heavy $$$.
The end of the line - Skill Enablement
One (and increasingly the only) way to deal with this shortage is through skill enablement of the existing workforce. In order to fully embrace the principles of DevSecOps, security professionals and developers need to upgrade their skills - consistently and in some cases, with a tangential bent of mind.
What this means to Developers
Developers will not only need to learn the essentials of application security (such as the OWASP Top 10, SANS Top 25) but also develop the ability to understand the know-how of security integration. According to the Veracode survey mentioned above, 7 in 10 developers claim that their organizations did not provide them with necessary training on security to do their jobs well. So, it's not that the developers don’t want to learn. Giving them the AppSec trainings would enable them to gain necessary hands-on knowledge, and bring in a cultural change, that of “security being everyone’s responsibility”.
Another key learning for developers would be to ideate and create threat models for the application they build. This activity gives them a comprehensive understanding of the security posture of the application right at a unit level. They will also therefore be able to better appreciate the security implications of adding new functions.
The goal here is to equip the developers with enough security knowledge that can enable them to ask the right questions while interacting with management, clients, and security personnel.
What this means for Security Pros
In simplespeak, there are two mantras for security professionals - One, look at tools outside the confines of their laptops and two, understand and “get” code.
Automation is the cornerstone of today’s agile product engineering and has its fair share within the security silo as well. Smart automation drastically reduces the need for manual bandwidth for the grunt-phases of an assessment (such as Reconnaissance), thereby opening up much needed man-hours for phases of the assessment that matter. There are a commendable set of tools (DAST/ SAST) that can be stitched together to do the security testing for you today. Thereby, the traditional approach to security testing will become redundant in future and it is imperative for current security professionals need to adapt. Contrary to popular notion, automation in appsec will not eat away the job of a penetration tester, but in fact make the role more mature.
They need to learn to code. Security is everybody’s responsibility. Companies are moving towards light weight applications and serverless technologies to scale up and cut costs. This means the tech stack and their attack surface is constantly changing. In order to secure such pervasive tech stack, security engineers need to understand how the underlying code works. For that, they need to learn to code. In addition, coding enables them to embed multiple testing tools together to automate testing, thereby increasing their value to the company and themselves.
These security experts also need to be trained on how to educate others in team on security so that they can teach the others in the group.
Another “out-of-the-box” possible solution to the skill shortage is to look at talent from non technology domains. This has been a tried and tested model adopted by large IT services conglomerates as part of their university campus recruitment drive. However this has been largely restricted to pure software engineering. The same concept can be extended to security engineering as well. There has been a steady increase of non-security professionals who are keen to shift focus to security. Skill enablement programs have proved to be largely successful with such groups in the long run, since there is no “unlearning” of existing concepts and programs are often on clean slate.
A shortage in the necessary workforce means overloading the current workforce, consequently leading to an inadequate security posture. Therefore, companies should empower their employees with proper training to meet the demands of security expertise. Individuals should get out of their comfort zone and acquire new skills to remain employed.