To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “What are some real-world problems you, or your clients, are solving by securing applications?” Here’s what they told us:
- Our customers are solving three problems: 1) The ability to easily scale across an application portfolio by integrating at a common point. All code is designed to run, so the logical place for security is in run-time. 2) Automated protection, making software handle remediation, rather than jockeying project schedules to pit security against feature development. 3) Accuracy to differentiate between an attack and a vulnerability. By being inside the application, we are able to make this distinction and give time back to any security monitoring team who would otherwise monitor and investigate a barrage of alerts from attacks that don’t matter. Giving this time back enables security teams to look into events that could actually impact the business.
- One of the problems our clients face is making sure different entities and their applications within a branch or location do not have unauthorized access to each other. For example, HVAC applications should not have access to payment processing. Our solution does this out-of-the-box, without having to be requested or explicitly defined.
- We have 850 clients who test thousands of apps every month. Many are Fortune 50 organizations. One use case is when a new zero-day vulnerability is just detected. Clients don’t know if their applications are affected or not. They reach out to us, test their applications, collect information from static code analysis to determine if their application has the component, and learn what to do to fix it. We help them analyze apps they are planning to deploy and tell them where vulnerability is in a line of code. We perform continuous testing of applications to make sure they are still resistant to attacks.
Our production-safe methods don’t bring down apps while testing. We’ve tested 50,000 apps to date. We actively test 15,000 apps 24x7x365. We’ve identified 700,000 vulnerabilities and 95 million attack vectors and analyze 250 million lines of code daily. We detect an average of 15 vulnerabilities per application. Over 80% of Java applications have insecure components. Remediation time is getting longer. It takes five months to fix the most severe vulnerabilities and seven months to fix the less severe, even when we tell them the line of code to fix. We are not getting better.
Here’s who shared their insights:
- Erik Costlow, Developer Relations, Contrast Security
- James McClay, Product Manager, Cybera
- Doug Dooley, COO, Data Theorem
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs