Industry Observations-Web Application Security

Webappsec Talent Debt

A few times in the past Jeremiah has shown that there is a severe shortage of qualified professionals in the industry. The math changes quite often, but I decided to make a quick little calculator to show how much of a deficit we really have.

My assumptions are as follows (and arguably they are all wrong, but go ahead and change them to whatever you think are correct). There are estimates of around 673 million websites on the public internet according to NetCraft.

Based on a lot of anecdotal evidence, manual penetration tests tend to take anywhere from 1 day for very small websites to months or years for big websites. I averaged it out to 16 hours just to put a line in the sand. Some may say it’s more, or less, but it’s a number we can debate, or you can modify in the spreadsheet at will.

I also estimated that there are no more than 300k people in the security industry that can do web application security assessments. That is partially based on some Gartner data that there are somewhere in the neighborhood of 3 million people working in security overall, worldwide. Optimistically, I’d say that only 1 out of 10 people in our industry can do webappsec assessments, if you count sales people, marketing people, developers, people working in other areas of security and so on. The real number is almost certainly an order of magnitude smaller, but I don’t have real numbers.

Lastly, we know that there are approximately 2000 work hours in an average year. That may be high, especially if your webappsec engineers are off taking phone calls, talking to customers, doing training, going to conferences, etc. Therefore optimistically, we should expect (based on these numbers) for the average webappsec penetration tester who is fully dedicated to do around 31 webapps a year if they must test each one once a quarter – again, assuming they never do anything but penetration tests.

The numbers are stunning – we’re at a huge deficit. I’m not even going to say the numbers, they’re that bad. You can download the small spreadsheet and play with these numbers yourself. Even if you don’t agree with my numbers, no matter what numbers you use, it still seems like the odds of full coverage via manual assessments alone are not in our favor. One could argue that not every app in the entire world needs to be tested once a quarter, or even that not all apps need to be tested ever. Or one could say that WAFs help reduce the overall security need for certain signature rich vuln classes. But even if you massage these numbers to the best possible scenarios, we still have a massive talent-debt. Therefore some automation is not just important, but absolutely critical if we want to tackle this global problem head-on.

  • Adam

    And it turns out writing automation which is general enough to apply to all websites it not easy! Specifically mutating the input when it detects “something interesting”, and not having a high number of false positives nor false negatives.

    I think we can all agree that we can do better than the tools we have now. The problem with building these tools is lack of incentive. The cost it too great for any one client, and arguably even too great for one pen-test firm (assuming we’re talking about *properly* done tools here, not some janky one-off). Sounds like an excellent business opportunity, which is why there aren’t any really good open-source tools.

    Thought experiment: Whitehat puts a bounty out there for an open-source tool which does some concrete things (e.g. crawls pages, identifies GET params and their: types (string, int, float, comma-separated list of $type), required/optional). Then if/when that gets done, add logic that will determine which parts of the page will change based on the parameters. Then add a fuzzing module which will try absurd things (integer overflow, negative numbers, unparseable floats, various string encodings). Basically just have it start out as surface-area enumeration, to direct an analyst, then grow from there.

  • Bryan Marcelino

    good article

  • https://twitter.com/honam honam

    Huge shortage! If you add Intranet apps, the shortage of qualified web security professionals is even more severe. At most large companies, I would guess that the number of web apps behind the firewall far out number their public web sites/apps.

  • Pingback: 20,000 | WhiteHat Security Blog()

  • Pingback: 20,000 | Cyber security labs by Cipher Net AB()