Automating your way out of an AppSec staffing shortage
2023-11-21 02:16:49 Author:查看原文) 阅读量:5 收藏

If you’re like most companies, you might be struggling to hire and retain skilled application security staff. According to a 2023 study by the Information Systems Security Association (ISSA), 71% of companies feel they are negatively impacted by a shortage of skilled cybersecurity professionals.

The study also showed that over half the respondents felt that the shortage and its impact has worsened since 2021. And 63% say the workload has gotten heavier due to increasing attack surface areas, attack frequency and sophistication. 

AppSec staff is feeling the strain. Half of people surveyed feel burned out and plan to leave the field within the next 12 months. Being understaffed, and worse–losing good people and the tribal knowledge they possess is costly to software supply chain security stakeholders. It takes time to bring new staff up to speed on security issues, to learn all the edge cases, and to recognize, prioritize, and eliminate new AppSec risks as they arise, before they get deployed into production.

There are two important strategies organizations should adopt to help address AppSec human resources shortages:

  1. Increase the supply of skilled AppSec people by raising AppSec staffing budgets, raising salaries to help attract and retain people, and invest in training to raise skills. 
  2. Decrease the demand for AppSec people by automating as much of the software supply chain security processes as possible. In other words, do more with less.

AppSec automation examples

To make it clear how automation can help avoid headcount shortages, let’s look at some of the ways automation can be used to reduce the AppSec workload in your software supply chain:

  • Automate AppSec integration – it’s common to have a portfolio of AppSec tools that protect various parts of the software supply chain. Together, these tools can detect thousands of issues during the software release cycle. These tools represent silos, which incur costly and time-consuming manual overhead such as performing cross-silo coordination, integrating and analyzing issue data, developing in-house integration solutions, and so on.

There are turn-key AppSec solutions such as OX Security that automate this integration, to reduce staffing requirements and allow AppSec personnel to focus on higher-value added activity.

DevOps Unbound Podcast

  • Automate issue prioritization – With dozens or hundreds of software supply chain security issues arising every day, issues must be prioritized so that a) serious threats are removed before the software is deployed to production, and b) developers are not distracted by duplicate or less serious security hygiene issues. Reviewing, classifying, and assigning so many issues every day is tedious and labor intensive.

Issue review and prioritization can be automated to help lighten the load for the AppSec and development teams. OX Security uses AI to cleanse, deduplicate, and prioritize security issues–automatically, thus reducing thousands of issues down to a handful of truly serious threats:

ox dashboard screen shot

  • Automate issue resolution – Assigning issues to developers is another laborious task that should be automated. Documenting each issue, creating a software change ticket for engineering, confirming that engineering has received–and is working on–the issue can require lots of AppSec people.

Instead, software teams should employ technology like OX Security that can automatically execute custom resolution workflows. This will free up AppSec people to focus on higher-value activities like learning about new threats, implementing new tools, and working more closely with engineering to resolve issues and improve processes.

3 ways AppSec automation can solve skills shortage problems

With proper AppSec automation in place you can reduce the impacts of software supply chain security skills shortages in three ways:

  1. Do more with less

If you put automation in place, you will not need such a large AppSec staff to integrate, prioritize, and resolve issues. Consider putting automation in place to make your current team more productive, and reduce staffing requirements in these areas.

  1. Raise morale to increase job satisfaction and employee retention

High-quality AppSec professionals are in a constant fight against cyberattackers; it’s stressful and they deserve high-quality tooling. If you don’t equip them with good tooling, they’ll go work for someone else who does. Automation like OX Security helps AppSec teams raise morale and reduce stress by finding and eliminating more serious threats in a more timely way and with less tedious work. 

  1. Build and retain tribal knowledge for faster onboarding

Automation captures and preserves tribal knowledge of AppSec issues and edge cases. As a result, you minimize knowledge loss when employee turnover occurs, and new team members  reach full productivity much faster as the team expands.

Explore AppSec automation solutions with OX

If you’d like to learn more about AppSec automation, or discuss software supply chain security organization and strategy best practices, feel free to contact us. You can also try OX Security to get a feel for how impactful AppSec automation can be within your organization.

The post Automating your way out of an AppSec staffing shortage appeared first on OX Security.

*** This is a Security Bloggers Network syndicated blog from OX Security authored by William Penfield. Read the original post at: