The VC View: The AppSec Evolution


Eliminating friction and making AppSec scalable starts with designing solutions built for developers

Eliminating friction and making AppSec scalable starts with designing solutions built for developers

While zero-days like the recent Spring4Shell create headlines, an unfortunate infosec reality is that hackers exploit already well-known vulnerabilities to breach networks. The CISA’s list of the Top Routinely Exploited Vulnerabilities  makes that abundantly clear. In 2020, 8 of the top twelve exploits were from 2019 or earlier. 

That’s why Application Security (AppSec) tooling like IAST/DAST scanners that can detect vulnerabilities in production workloads are so critical, and the evolution of the AppSec space is one of the most important post-pandemic security trends. 

Before we dive into the specifics of AppSec, let’s clear up a common misconception: AppSec and DevSecOps are complementary, but they are NOT the same. DevSecOps is about building security into the SDLC and "shifting left", while AppSec is about finding, preventing, and fixing issues once workloads are deployed to production. 

Put simply: DevSecOps is about pre-deployment and AppSec is post-deployment.

Specifically, the AppSec category includes tools like IAST, DAST, RASP, WAFs, IPS/IDS, and bot management solutions. Traditionally, AppSec tooling was siloed between development (dev) and operations (ops). Dev implemented IAST agents while ops ran ad-hoc scans. Or, worst, security scans were simply tacked on post-deployment without any dev involvement at all. 

But in a world where DevOps culture and CICD pipelines are the norm, manual scans and siloed security. Businesses need AppSec solutions aligned with the collaborative and agile culture that has made DevOps so powerful. That means emphasizing collaboration, eliminating friction, and enabling automation. Ad-hoc scans and annual pen-tests are useful, but they don’t provide the same protection as tooling inherently part of the delivery pipeline. 

Additionally, false positives and false negatives are both major problems in the AppSec world. Flagging too many irrelevant vulnerabilities leads to alert fatigue and complacency. This is common for scanning practices that simply throw alerts based on version numbers or limited context. The flip side of that coin is false negatives are worse. Not alerting when a potential vulnerability is present can lead to a breach. 

With that in mind, what trends are moving AppSec in the right direction and shaping what the market will look like in the years to come? 

● Developer focus - This may be the single most important trend in the AppSec space over the next few years. For AppSec to become frictionless, the tooling must be built to meet the needs of modern developers. That means a focus on APIs, automation, and integrations with other tools developers use like Jira, Slack, and GitHub. Tromzo, a startup that has raised over $3 million from over 25 different CISOs, is a great example of a startup making progress in building developer-focused AppSec tooling. 

● Context is key - Exploits are a pattern of events. And what’s malicious in one context may be harmless in another. Understanding behavior in context is key to improving detection rates, reducing false positives, and identifying sophisticated attacks. To understand the context at the speed required to mitigate threats, AppSec tooling must integrate AI and ML effectively. Fortinet’s recent acquisition of the Bay-Area startup Sken.ai is one clear example of investment in integrating intelligence and context into AppSec . 

● Convergence - “Tool sprawl” is a real problem in the AppSec world. A single team could have different tooling for vulnerability scanning, WAFs, bot detection, and IPS/IDS. More tools mean more complexity, more friction, and more chances to get something wrong. All of that is bad for security. DevOps teams need tools that simplify workflows, and part of that is converging security functionality into a single platform. For example, the Contrast Security platform combines security scanning, assessment, threat detection, serverless security, and SCA into a single platform. 

To summarize, AppSec is key to protecting production workloads from modern threats, but there are still too many silos and too much friction in existing implementations.  Ad-hoc scans and tooling spread across teams with different responsibilities aren’t agile or scalable enough. 

Eliminating friction and making AppSec scalable starts with designing solutions built for developers. The AppSec platforms that do that and deliver the accuracy and convergence teams need will be the platforms best positioned to grow their market share in the years to come.


By William Lin on Tue, 20 Sep 2022 14:36:59 +0000
Original link