AppSecSchool:
AppSec Ratio

Enjoy our additional free content from our channel

AppSec Ratio

AppSec to Dev Ratio: Guiding Your Strategy

Understanding the AppSec to Dev ratio is essential for determining your approach and strategy as an appsec engineer. It's the number of appsec engineers to the number of developers in an organisation. This ratio varies widely between organisations and can greatly influence the nature of your work.

A commonly cited figure is 1%: 1 appsec engineer for every 100 developers. This may seem like a daunting ratio with 100 developers producing code to just one individual overseeing its security.

Strategy Based on AppSec to Dev Ratio
Low AppSec to Dev Ratio:

With a lower ratio, there are more developers compared to appsec engineers, indicating that appsec resources are stretched thin.

  • Buy over Build: You might need to purchase tools instead of developing them in-house.
  • Seek External Assistance: Occasionally, you might have to get outside help to complete projects.
  • Prioritize Automation: Automation will be key to handle the volume.
  • Selective Review: Not all projects might be reviewed.
  • Strategic Approach: Every effort should be thought out and strategically planned.
  • Reactiveness: You might find yourself constantly reacting to issues, or "extinguishing fires".
High AppSec to Dev Ratio:

A higher ratio indicates a larger proportion of appsec engineers relative to developers, allowing for a more in-depth approach.

  • Build Custom Tools: You have the bandwidth to create in-house tools tailored to your needs.
  • Comprehensive Review: More projects can be reviewed, although perhaps not all.
  • Focus on Long-Term: You can dedicate more time to long-term strategies.
Communication is Key

No matter your ratio, it's imperative to communicate effectively with both the development and security teams. This ensures everyone has a clear understanding of the workload and capabilities. For instance, it should be evident that a team of 5 cannot scrutinise every single line of code produced by 5,000 developers. An open dialogue may also pave the way for developers to shoulder more of the responsibility.

Pro Tip for Job Seekers

When interviewing for a job in this field, inquiring about the AppSec to Dev ratio can give you a clear picture of the workload and challenges you'd be signing up for.