We are at BLACKHATUSA2022, come see us at #IC75,check out our BlackHAT training sessions
Application Security

The Application Security Crisis: Why Training Your Team Should Be Your #1 Priority

February 21, 2022
team training in office
Training your team for Application Security

One of the biggest challenges a lot of team leaders face today is figuring out how to bring their teams up to speed with new tech stacks they've never used.

Take this 2019 Application Security Risk Report by Micro Focus: 94% of applications tested in 2018 contained a vulnerability in a security feature. That’s a near-ubiquitous problem across the industry. 

Let's take Kubernetes, for example. This notoriously complicated container orchestration platform has in just a couple of years, become one of the most sought-after new technologies in product engineering. 

Increasingly many apps are migrating to Kubernetes, which means two things: people want to learn how to develop apps for it, and they also need to learn how to secure those apps on it.

The need for application security talent is growing

Security is a big deal, and product teams need it now more than ever. Despite this, 76% of cybersecurity leaders in 2020 said they were facing a serious shortage of skilled talent. That’s a massive skill gap indicating that the supply is nowhere near able to meet the demand. The industry may be growing faster than ever, but the talent pool simply isn’t. 

If you're at the head of a team that's building a new app but don't have the expertise to secure it properly, that's a problem. The attack surface of a traditional application is very different from that of, say, a serverless app, or even a containerized app. You're dealing with vastly different (yet related) technologies here, and it's critical for your product engineers to learn how they work and how to make them secure.

When faced with a problem like this, you only have two options as a team lead: hire a subject-matter expert, or train your team in the areas they lack experience in.

What’s more effective: hiring or training?

If we’re looking at cost-benefit, it seems kind of obvious at first. If we’re talking about hiring just one new person versus getting training for your whole team of 20-30 people (or even more), the former option seems by far the more economical one.

But the numbers tell a different story. We’ve created an infographic to explain exactly how training and hiring compare, looking at cost, effectiveness, and time investment. You can view and download it here. 

For starters, hiring has all kinds of hidden costs that can add up to anywhere between 75-150% of the new hire’s annual salary. You’re looking at costs of onboarding, which can take up to 26 weeks, and loss of productivity for the first 8-12 months after hiring. And all this isn’t even taking into account their salary!

In a rapidly evolving tech landscape, training isn't just the best option; it's downright essential.

In contrast, a learning platform like AppSecEngineer costs just $49 per seat, and employees can be effectively complete a course (plus all the hands-on lab practice) in around a month. With 3-5 courses in a Learning Path, your entire team can train and become proficient in a field in well below a year.

Beyond that, teams that receive 40 hours of training per member see a 10% increase in productivity, with 22% faster product rollouts. Team-wide collaboration is more effective and efficient when those same teams train together.

In a rapidly evolving tech landscape, training isn’t just the best option, it’s downright essential. But that doesn’t mean all training is automatically good. It’s well known in the corporate world that employees quickly grow weary of cookie-cutter training programs with recycled or outdated information and bland presentations. 

Let’s look at the issues most employees face with corporate security training, and what you can do to fix it.

3 things corporate security training doesn't do

When it comes to security training, there are 3 essentials that it needs to cover to be effective. Unfortunately, most corporate training in application security skips this part, and they end up being boring or unrelated to real-world problems. And the only thing worse than employees skipping training is if they wasted time attending a class that didn’t teach them anything.

Offensive vs. Defensive AppSec

A big mistake many training programs (and companies) make is to place the emphasis completely on offensive security. Figure out all the ways an attacker can get into your app, and you'll have a security blueprint ready to start fixing it. 

But that completely ignores the thing that makes it security in the first place: actually defending your application. There's no point learning where all the gaps are in your defense systems if you don't know how to close them.

That's the philosophy of purple team security. Not red, not blue. Purple. And the reason it's so important is that it works, offering immediately tangible, measurable improvements.

Real-world security scenarios

You know why people always take marketing campaigns for a car's mileage or a phone's battery life with a pinch of salt? It's because the tests they conduct are all done in very tight, controlled environments. 

Real life doesn't work like that; you're bound to encounter problems you didn't anticipate. Security works the same way, too. Generic test cases where you only learn the most basic ways vulnerabilities affect apps can’t give you the whole picture. 

You need to be exposed to security threats modelled after real ones to learn how to secure applications against unexpected or unconventional challenges. That's why learning on the job is usually so much more effective than classes in school.

Practical experience

Learning something new is no different from developing a new habit - you have to keep working at it, practicing, doing it over and over again so you get good at it. It's no different with AppSec.

If you're going to be facing real security threats at your job, you need to have experience working with tools, understanding the data, implementing security protocols, and a whole host of other skills that you simply can't get by reading a book.

How do you bridge the AppSec skill gap?

Training for the sake of ticking a box is never a good idea, because that won’t actually equip your team for shifting trends or emerging technologies in the security industry. 

Really effective training takes time and effort, but it pays itself back many times over.

AppSecEngineer was built with this in mind. Our courses cover everything from the basics to the most complex arenas of modern application security.

But the best part? Our cutting-edge hands-on labs, which make it necessary for learners to take their time with the material and become proficient in practical, real-world implementations of security techniques. 

We even let you manage your entire team on the platform, with progress reports and analytics data sent to the team leader on a regular basis. 
If you want to learn more about how AppSecEngineer for Teams works, contact us and we’ll give you a demo!

Aneesh Bhargav

Aneesh Bhargav

When Aneesh is not creating career-focused security content, he’s probably playing video games.