AppSec Additional Considerations

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “What have I failed to ask you that you think we need to consider with regards to application security?” Here’s what they told us: 

  • I would focus a little on accuracy, time, and priorities. For example a few years back with the Target breach, the question nobody asked was: if Target’s technology found that attack, what prevented them from actually looking into the issue. The problem is that many security systems flag all kinds of things and require tuning (reducing false positives), and many external defenses that claim to not require tuning miss a ton of things. There’s a saying that “scanning turns ignorance into negligence” because companies don’t act on the results. For many weaknesses, the solution can be automated.
  • It’s a headcount issue. If companies try to improve their AppSec solely by adding staff, declare defeat. AppSec needs to be automated and scale with the staff they have.
  • We do not see application security being a separate conversation from network security, as so many of today’s applications traverse networks. A good question to ask might be, “What are some tools and techniques for an application as it traverses a potentially or perhaps inherently insecure network?”
  • Vendors today can offer technologies. There are still some gaps, but we’re offering high-speed testing to support DevOps.

Here’s who shared their insights:

This UrIoTNews article is syndicated fromDzone