Some years back, I was decompressing with another security person. He asked how my conference was going and I said "Great. I did a training today and I am doing another training tomorrow. How's yours?" He groaned, "Ughh. I did a training today and, " he sighed, "I have to do another tomorrow."
It surprised me, sure training is a lot of work, but I really enjoy the idea flow, and seeing developers and security people think about appsec in real ways. I have met many great people to work with in classes and usually leave class with energy than I started.
He went on to complain that his class was dead, people falling asleep and bored and so on. I should pause here to say that this is a very well regarded security person. So my class is all geeked up and his is drooling, what was the difference? I am on ok presenter but this guy is a way better presenter than I am. I have good content, but so does he. So what is the difference?
Then it hit me, his classes were "have to take" classes, not exactly certification but close enough. People in his class were there on sort of a forced march, because they had to. Not in my AppSec class though. AppSec is many things but its not a glory detail with shedloads of funding. The people in my class sought it out and wanted to be there, they were trying to get to the next level not just check a box.The difference between these two things is as night is to day.
So while AppSec has many problems, its drastically underfunded for one thing, I am glad to work in a field where the majority of people in it self selected to take on a harder challenge. Its not for everyone but its work worth doing. OWASP and other AppSec groups are great in that they bring together practitioners from lots of different companies. Sure many people are the "one AppSec person" at their company or part of a single digit percent of the security team/budget, when more like half should be invested in AppSec.
The difference between my class and the other security persons wasn't my presentation skills or content. Its that my class the information was pulled and his was pushed at the audience. This is consistent with my experience. When I teach a 101 AppSec class inevitably there are lots of 201 questions. In 201 class there are lots of 301 level questions. In 301, the people email me years later, start their own blogs, OWASP groups, and go do some really neat work. Its a small area, but AppSec is growing because a core of people are intrinsically motivated to work on it.
AppSec is fundamentally a grind it out, bottom up business. Its not a path to glory, but AppSec teams make a difference. Even nascent or smaller AppSec teams are bringing something new and useful to their org when they improve coding practices and patterns. Sure AppSec is underfunded by around 10x at most companies, and this creates a major scaling problem, but these are better challenges than being in a part of security team with bigger budgets when all that gets you is people marking time and falling asleep.