For software quality-assurance testers and engineers, acquiring new skills has never been more important. While the number of software QA jobs is expected to grow over the next decade by a modest—if "faster than average"—7%, according to the O*NET career portal, that growth will not match the skyrocketing demand for information-security practitioners and software developers.
Moreover, during a downturn—such as the current, pandemic-prompted unemployment situation—software QA testing engineers face more significant headwinds, according to jobs site Indeed.com. Application-security postings on the site sank about 9% in September 2020 compared to the prior year, but quality-assurance postings declined by more than 18%, according to data provided to TechBeacon.
Those trends, along with the growing importance of security testing in software development, suggest that application and automation test specialists should increase their application-security knowledge, said Joe Colantonio, the founder of TestGuild and Guild conferences, which focus on specific QA disciplines, including security and test automation.
"Companies are putting a higher value on security than on quality assurance. Testers need to get more involved in security, and there is a good opportunity for them to get these skills to help their career and make more money."
—Joe Colantonio
Here are security skill-building lessons for QA testers, gathered from market data and from top technology-job analysts and application-security experts.
1. Security testing skills have value
Current trends in the job market suggest that software QA testers who acquire security knowledge will face a more lucrative job market.
In 2019, the U.S. had approximately 130,000 information security analysts, the closest occupation to application-security professionals, according to data tracked by the US Bureau of Labor Statistics (BLS). That total is expected to grow by more than 40,000 over the next decade—a stunning rate of 31%.
While software developers also face high demand over the next decade—a 22% rise, according to the BLS—that amounts to a much larger absolute change of 316,000 workers.
Both of those disciplines will likely see continued demand.
Rather than moving laterally into a new profession, software QA testers will likely increase their value by gaining skills in both app security and development. Testers and developers who can talk about security are much more prized than those who have little security expertise, said Martin Knobloch, global application security strategist at Micro Focus.
"A lot of app sec professionals think they are heroes because they can break stuff, but there are a lot of people who don't know how to talk to the developers. The most important skills for security people—and testers—is to be able to communicate business risk, so security specialists with a development background [and vice versa] are really valuable."
—Martin Knobloch
2. Automation is key for agile development
Among technical skills, testers who know automation, security, and machine learning are increasingly valuable, said David Foote, principal and co-founder of Foote Partners, a technology analyst firm.
In its research, the firm found that the skills with the highest pay premium include DevSecOps, natural language processing, risk assessment, and security architecture. Yet automation is the one common component of almost every job and is especially important for an software QA tester or engineer in the modern DevOps software development lifecycle.
"It is difficult to find some area that does not have automation as a component. Just like you cannot bring a knife to a gun fight, you cannot win the security fight against attackers without automation."
—David Foote
3. More security tests are shifting left
As the testing phase of software development increasingly "shifts left"—from a discrete step in the development cycle to part of developers' daily responsibilities—security tests are quickly being integrated as well. The software QA testers who are working to build the test infrastructure need to have a solid grasp of security, said TestGuild's Colantonio.
"Developers and software engineers—because you want to push software through development and into production faster, with this whole movement to 'shift left,' you want to automate as much as possible. So future tasks may not focus on traditional test automation—it could be anything automation, particularly in the case of a lot of security tools, where they automatically scan for vulnerabilities at a check in, even before the code gets to the security team."
—Joe Colantonio
4. Application security: Champions needed
In addition, software QA testers and engineers are often the bridge between the security team and developers, so they increasingly need to teach about security and privacy requirements. Without knowing the basic security concepts, designing privacy and security into the application will be difficult, said Micro Focus' Knobloch.
"App sec is always going to be out numbered, many to one. The security person on the team is only one guy, so he ends up doing all the security projects, which is not what you want. So the role of application security and application testers are to mentor the developers in how to do the security stuff."
—Martin Knobloch
5. Get certified
Overall, the value of certifications is on the decline. Companies are more likely to look at a job applicant's past work to gauge expertise than to rely on certification tests that have uncertain benefits in the market, according to Foote Partners.
The average value of the more than 500 technical certifications Foote Partners tracks shrank 1.5% in the last quarter. This continued a two-year decline, to land at the lowest average pay premium in seven years and the widest gap between certified and non-certified tech skills in over a decade.
"They are easy to get, and they don't confer any sort of expertise. Companies have others ways to determine whether someone knows their stuff or not."
—David Foote
Information security certifications, however, continue to be valuable, yielding a 9% increase in pay, according to the firm. Application development skills, especially experience with certain tools, has generally matched the average technical certification trend—currently, a 7% pay premium. Nevertheless, demonstrable, though uncertified, skills pay even more—nearly 12%.
Skills to pay the bills, and much more
Overall, software QA testers and engineers should look at security skills as knowledge that will help them not only improve their job performance and add more value to their role in the development cycle, but as a way to further their careers and attain higher pay.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
