Vendors are seeing the opportunity, too, with multiple companies making acquisitions in the application security space in recent weeks. New York-based CA Technologies said in early March that it planned to acquire Veracode, a cloud-based secure DevOps platform for securing web, mobile and third-party enterprise applications throughout the software development life cycle, for $614 million.

Okta also said in March that it planned to double down on the application security market, acquiring StormPath to add to its technology portfolio and talent pool around identity authentication, authorization, and user management for web and mobile apps.

Chief Product Officer Eric Berg told CRN that Okta sees companies going through a transformation around software development, looking for alternative ways to accelerate the development of web and mobile applications. Security is increasingly becoming a more critical piece of that conversation, he said, driving application security to be a "healthy business" for the San Francisco-based company.

"We're taking a high-growth business of ours and supercharging it," Berg said.

There are multiple opportunities for solution providers around application security, Kudelski's Howard said. First, he said solution providers can help customers take inventory of their web applications, which he said is a challenge with shadow IT and a constantly changing application footprint in large organizations. CISOs should start with securing their most critical business applications, and then look to secure the rest of the applications in the environment, he said.  

The second area of opportunity for solution providers is to help companies test their applications, bringing in an external or internal team for testing and using security tools to test for weaknesses, he said.

Third, companies such as Kudelski can help customers put defensive mechanisms in front of their applications, including web application firewalls and deep packet inspection capabilities, he said. Finally, there is an opportunity to prevent security flaws from happening in the first place, with training and integration of continuous security testing into the DevOps process and after launch, according to Howard. 

David Powell,  general manager, service provider business, at Santa Barbara, Calif.-based LogicMonitor, said another opportunity he sees for solution providers around application inventory is in what he called "application rationalization," where they look to make more strategic application investments. That includes making more strategic buying decisions, disaggregation of the application stack, investing further in making critical applications run better, and eliminating applications that aren't in use, he said.

Solution providers have a role in helping customers go through the application rationalization process, he said. From a security perspective, that changes the landscape for application security, broadening the threat landscape but allowing for companies to more easily isolate applications and improve identity and access management, according to Powell. This shift demands a different set of skills from application and security professionals, putting more emphasis on automation and orchestration capabilities, he said.