Aneesh Bhargav
April 30, 2020

The AppSec Skill Gap and what we're doing to Fix it!

If you had told anyone about 30 years ago that there would be a way for anyone in the world to learn just about anything, whenever they wanted, nobody would believe you. Fast-forward to this year, and suddenly it's the only way we could learn anything (at least for the past few months now).

It’s interesting to see how online learning has evolved. You see, one of the fundamental hurdles that remained for self-learning (or non-instructor-led-learning), was being seen as practical enough and certifiable for subject areas that heavily depend on practical application of concepts.

If one had to become a professional carpenter, or a surgeon, then would an online course cut (no pun intended) it? But from a core Application Security standpoint, it’s important to look at what is being taught, rather than how it is delivered.

Understanding the Skill Gap

According to Veracode’s DevSecOps Global Skills Survey, over 75% of college graduates said that their higher education didn't require them to complete any courses that focused on security. While there might be a need for more security education, the courses that do exist aren’t practical, and deal with an often outdated understanding of vulnerabilities. Even amongst professionals in the field, almost 65% of DevOps professionals said that they picked up their most relevant skills on the job, but 70% said their organisations don't provide them with enough security training

Subjects such as Application Security have another challenge: they need to be subjective (to an individual’s knack to find/fix vulnerabilities) and yet specific (in being able to find/fix vulnerabilities specific to a technology stack, framework etc). Moreover, there is the added complexity of adapting to the recent need of scaling security with consistency and speed. But there aren’t enough skilled people to even train new hires efficiently. Which means that most venturing into the field have to pick up knowledge via experience.

So if higher education isn't providing these skills, and they're picked up on the job without enough training, the logical conclusion to make is that some lessons are learned the hard, expensive way: by making mistakes.

The Existing Ways of Addressing the Gap

One logical way to address the skill gap from an organization’s perspective is to internally train resources. This would mean hiring experts in the domain, to conduct intensive training. The problem with this approach however, lies both in scaling this training across geographies, as well as cost-effectiveness and relevance (how relevant will this training be after a certain period of time, and if trainees will need an updated course after said time).

The problem of scale also presents itself (as mentioned before) in finding the right talent. As organizations look to build their applications fast and scale faster, the need for DevOps engineers and application engineers has increased. Herein lies another problem: while it may be (relatively) possible to find someone with the right balance of technology and the needed business acumen required for a generic technologist, one can't say the same when it comes to a security engineer. For example striking the balance between knowing where an attack might originate from, and how it traverses within application components and its weaponization possibilities comes from a deep, practical understanding of both building and breaking applications.

What we’re doing to address this

1. The Purple Team Approach

All of these led us to work on something. We had about a decade's worth of experience with real-life vulnerabilities across applications and platforms, and that gave us some ideas. We were convinced that there is a need to normalise the skills of builders (developers) and breakers (security engineers) for them to appreciate the other side of the spectrum. The purple team view of looking at security is well known and is a proven way of defending technology components by having an intrinsic understanding of potential attack surfaces.

2. The 'No Silver Bullet' Approach

But any approach to teach Application Security is incomplete without a practical way to teach developers and security engineers how to defend against esoteric threats, while addressing the problem of scale as well as cost-effectiveness. While these problems could be solved with online learning, finding the right course can be difficult. Moreover, there’s also the problem of having purely defensive or offensive courses.

We thought that the way to fix this problem was to have individual courses that dealt with the different aspects of Application Security independently. There should be different courses for higher level concepts such as the management of sensitive information on cloud-native environments like AWS, and then other courses that drill down into more specific topics, such as scaling security on serverless applications. It would not do any of the security concepts of these components justice, to have one generalised course.

3. The Hands-On Approach

We also saw that the solution to making abstract concepts comprehensible, is that of hands-on practice. This is why we built what we call our ‘cyber range’: a safe way to learn the workings of a vulnerability first-hand, from the inside-out and to practice nipping it in the bud. These cyber ranges need minimal set up (they’re browser compatible), and they also are accessible any time, from anywhere.

The culmination of all of the above is what led us to build AppSecEngineer, our assisted remote Training Platform complete with practical courses that combine both: offensive and defensive approaches. About 3/4th of every course is conducted in our state-of-the-art cyber ranges, under the guidance of experts in the field.  We wanted to make training in AppSec accessible, and as flexible as possible. So we built it to give trainees live sessions with experts, recordings of classes after they’re done, and extended access to labs that allow them to translate concepts to actual learning.2020 has made it easier to learn (if nothing else) from home, at your leisure... so why not? After All knowledge is power, right?If you’d like to look at the list of courses and slots available, check AppSec Engineer out here ( a walkthrough of our cyber ranges? Watch Abhay’s video on them!