To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “How has application security changed?” Here’s what they told us:
- Application security is no longer based on strobe-light scanning processes that tell you how secure you were last Wednesday. Modern security is continuous and can act to protect vulnerabilities rather than just making inaccurate lists.
- Operations and network security have fallen short. Companies are losing millions of records on a regular basis. We used to have a perimeter defense; however, now, the apps are on the public cloud and available on an app store. Because of mobile and cloud, the perimeter is now applications and identity. You have to make sure you have good identity and AppSec controls to protect your data. We’ve moved from static code analysis to new techniques and tools. Old tools do a terrible job of providing tangible vulnerabilities to fix.
- Application security has been evolving as the amount of data being managed has increased exponentially. In order to respond to the increased threat, we are developing innovative ways of finding vulnerabilities faster and handling the logistics involved in ensuring all of these vulnerabilities are removed in order to protect the world’s ever-growing production environments. There have been even more changes beyond what the public-facing interfaces of services offer. Due to the exponential growth of the number of devices on the Internet (Internet of Things, containers, etc.), safe, walled network gardens (DMZs) are on the brink of becoming obsolete. Managing machine identities and controlling which machine can access which service (both of which are very similar to role-based access control for humans), is becoming a concern that enterprises are starting to have to manage.
- Security has gone from being an afterthought to central to the success of any application. As digital transformation accelerates, organizations are increasingly relying on applications and networks for the daily operation of critical systems. In the past, an organization could get away with insecure and outdated applications, but in today’s environment application, security is critical to business success.
- We are not winning the war. One of the most severe vulnerabilities is SQL injections. In 2018, 40% of all apps were vulnerable to a SQL injection. That’s the same percentage we saw in 2017, 2016, 2010, and 2005. Remediation time has increased by either six or 10%. It now takes an average of 139 days to remediate the most severe vulnerabilities and 210 days to remediate moderate vulnerabilities. We are creating microservices that are less secure because they’re delivered faster. Every year, companies spend $12 billion on firewalls and web security gateways, knowing we are not protecting assets any better. We invest a tiny percentage of the IT budget on AppSec, but we’re not really protecting assets.
Here’s who shared their insights:
- Erik Costlow, Developer Relations, Contrast Security
- James McClay, Product Manager, Cybera
- Doug Dooley, COO, Data Theorem
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs