Industry Observations

Evolution and the Movement of AppSec to the Cloud

Screen Shot 2017-03-09 at 9.28.59 AMTime was, all you needed was anti-virus software to be secure in your hard-wired network. Then you needed a firewall. Then maybe a network scan to find your un-patched servers and services, and an intrusion detection device to monitor network traffic, and host-based detection. Then came anomaly detection, data loss prevention, encryption tools.

But then we got mobile devices, and executives fell in love with tablets. And then smart objects, from buildings to cars and medical devices. The boundaries of the network keep growing, but we security experts keep saying that the user is the weakest link.

I think that’s going to start to change, and that’s a good thing.

The boundaries have become the baseline; all the security methodologies from the past can now be found in fewer, multi-purposes devices, or via networked technologies with multi-vendor partnerships. I know SecIntel feeds from security companies are consumed by the products of others, helping make the whole ecosystem safer. Additionally, having those feeds lets the security experts in a company focus on threat intel to perform better risk analysis for their own organizations, leading to more focused investment and practices.

I’m seeing a similar coming of age in application security. WhiteHat Security has been performing application security testing for 15 years. That’s dynamic testing, source code testing, and penetration testing of web and mobile applications – all pieces of the security discipline required to harden applications against accidental and malicious misuse. If you want to know how to harden an application against hackers, that’s our core function. And we’ve always been in the cloud, as it were, with a system built as a service to test your code for you.

Likewise web application firewall (WAF) technology has improved, to monitor, control, and escalate attacks made against vulnerabilities in applications. The smarter we can make these WAFs, the more detailed responses become possible. Alerting is the first step of awareness, to know that an attacker is trying an entry. The increasingly sophisticated choices from informational emails, alerting, blocking, ignoring, and so forth put a lot in the hands of the security expert, as above.

And yet we all know there are a finite number of security experts available. This is why I appreciate technology partnerships like F5 and their Big-IP ASM WAF, who can take the application intelligence from one of our scans and create easy-to-execute rules on how to use the information to mitigate the risk while the DevOps team works (usually much more slowly) to remediate. Integration like this between vendors is absolutely the way of the future of our industry, working together.

This vendor sharing of information and capability matters even more in cloud computing. The cloud movement represents a conservation of resources, from human capital to power use and ecological footprint. Running one large datacenter or virtual environment saves companies from having to duplicate experts in NetSec and AppSec alike, and share security operations and monitoring.

I’m glad the movement toward the cloud has swept up both NetSec and AppSec under the greater auspices of keeping users and transactions safe. Just tools aren’t the answer any more, as IT teams (and budgets) are challenged to find ways to work smarter. We security vendors, and you the businesses allowing users to do transactions and conduct their lives in the cloud, owe it to those users/customers to get along and find more ways to integrate.

Tags: application security, Risk Management, Software & Technology