Many have warned of a severe shortage of qualified professionals in the web application security sector. WhiteHat Security has issued a warning that the reality is not just a severe shortage, but actually a cataclysmic gap.
Robert Hansen, Technical Evangelist at WhiteHat Security has devised a formula that he believes determines just how big the shortfall really is. Some key highlights from his analysis are:
There are estimates that anywhere from 300 million to 450 million websites are on the public internet
Manual penetration tests tend to take anywhere from one day for very small websites to months or years for big websites
Only one in 10 people in the security industry can actually ‘do’ website application security assessments
There is a huge deficit in the number of testers needed to meet requirements.
Below is the full blog discussing the issue:
A few times in the past Jeremiah has shown that there is a severe shortage of qualified professionals in the industry. The math changes quite often, but I decided to make a quick little calculator to show how much of a deficit we really have.
My assumptions are as follows (and arguably they are all wrong, but go ahead and change them to whatever you think are correct). There are estimates anywhere from 300 million to 450 million websites on the public internet. I chose the lower of these estimates. If someone has better numbers that are more accurate, I'd love to hear them and how you obtained them.
Based on a lot of anecdotal evidence, manual penetration tests tend to take anywhere from 1 day for very small websites to months or years for big websites. I averaged it out to 16 hours just to put a line in the sand. Some may say it's more, or less, but it's a number we can debate.
I also estimated that there are no more than 300k people in the security industry that can do web application security assessments. That is partially based on some Gartner data that there are somewhere in the neighbourhood of 3 million people working in security overall, worldwide. Optimistically, I'd say that only 1 out of 10 people in our industry can do webappsec assessments, if you count sales people, marketing people, developers and so on. The real number is almost certainly an order of magnitude smaller, but I don't have real numbers.
Lastly, we know that there are approximately 2000 work hours in an average year. That may be high, especially if your webappsec engineers are off taking phone calls, talking to customers, doing training, going to conferences, etc. Therefore optimistically, we should expect (based on these numbers) for the average webappsec penetration tester who is fully dedicated to do around 31 webapps a year if they must test each one once a quarter - again, assuming they never do anything but penetration tests.
The numbers are stunning - we're at a huge deficit. I'm not even going to say the numbers, they're that bad. You can download the small spreadsheet and play with these numbers yourself. One could argue that not every app in the entire world needs to be tested once a quarter, or even that not all apps need to be tested ever. Or one could say that WAFs help reduce the overall security need for certain signature rich vuln classes. But even if you massage these numbers to the best possible scenarios, we still have a massive talent-debt. Therefore some automation is not just important, but absolutely critical if we want to tackle this global problem head-on.