Industry Observations-Web Application Security

Webappsec Talent Debt

A few times in the past Jeremiah has shown that there is a severe shortage of qualified professionals in the industry. The math changes quite often, but I decided to make a quick little calculator to show how much of a deficit we really have.

My assumptions are as follows (and arguably they are all wrong, but go ahead and change them to whatever you think are correct). There are estimates of around 673 million websites on the public internet according to NetCraft.

Based on a lot of anecdotal evidence, manual penetration tests tend to take anywhere from 1 day for very small websites to months or years for big websites. I averaged it out to 16 hours just to put a line in the sand. Some may say it’s more, or less, but it’s a number we can debate, or you can modify in the spreadsheet at will.

I also estimated that there are no more than 300k people in the security industry that can do web application security assessments. That is partially based on some Gartner data that there are somewhere in the neighborhood of 3 million people working in security overall, worldwide. Optimistically, I’d say that only 1 out of 10 people in our industry can do webappsec assessments, if you count sales people, marketing people, developers, people working in other areas of security and so on. The real number is almost certainly an order of magnitude smaller, but I don’t have real numbers.

Lastly, we know that there are approximately 2000 work hours in an average year. That may be high, especially if your webappsec engineers are off taking phone calls, talking to customers, doing training, going to conferences, etc. Therefore optimistically, we should expect (based on these numbers) for the average webappsec penetration tester who is fully dedicated to do around 31 webapps a year if they must test each one once a quarter – again, assuming they never do anything but penetration tests.

The numbers are stunning – we’re at a huge deficit. I’m not even going to say the numbers, they’re that bad. You can download the small spreadsheet and play with these numbers yourself. Even if you don’t agree with my numbers, no matter what numbers you use, it still seems like the odds of full coverage via manual assessments alone are not in our favor. One could argue that not every app in the entire world needs to be tested once a quarter, or even that not all apps need to be tested ever. Or one could say that WAFs help reduce the overall security need for certain signature rich vuln classes. But even if you massage these numbers to the best possible scenarios, we still have a massive talent-debt. Therefore some automation is not just important, but absolutely critical if we want to tackle this global problem head-on.