Breaking News

RSA 2019: 5 Key Takeaways from an AppSec Researcher

After an exhilarating RSA 2019, where WhiteHat Security announced that NTT Security has signed a definitive agreement to acquire the company and cybersecurity vendors from all segments of the market came together to show their innovations to the world, it’s time to reflect on some of the key themes and concerns resulting from the show.


1. Automation everywhere

 It’s not surprising, with ongoing talk of the cybersecurity skills shortage and resource-strapped IT teams becoming more overwhelmed by the day, that automation was a prominent theme all over the show floor, in network, application, cloud security and more.

While artificial intelligence and machine learning do play a part in the automation storyline for many security companies, they were not as heavily called out in branding materials as I would have expected. Could this be attributed to society’s waning but still present hesitance around the technologies?

 2. Companies still latching onto network security

 In 2019, IT professionals are still having trouble looking beyond network security and realizing the importance of application security. The prominence of network-centric vendors at RSA reinforces the idea that many enterprises are choosing between the two instead of incorporating both for a well-rounded security posture. This is likely for budgetary reasons or because they don’t fully understand the need for AppSec just yet.

But in today’s digital economy, applications are the foundation of business, and hackers are highly aware of the sensitive data they can access by exploiting their vulnerabilities. So protecting them should be priority number one. In fact, the 2018 WhiteHat Security Statistics Report  confirmed that securing applications, which are the biggest target for data breaches, has progressively deteriorated year-over-year.

Therefore, businesses must begin by identifying, prioritizing and managing risks relative to the potential impact on mission-critical operations. This way, organizations can balance security needs against cost considerations, and design an enterprise solution that secures its people, facilities, processes and technologies.

3. Many application security vendors lack manual in-house verification

WhiteHat Security’s mission is to help businesses build the most secure applications by providing faster speed, the deepest coverage, and the highest accuracy available on the market. While most application security vendors we saw at RSA hit one or two of these key components—they often sacrificed excellence in at least one to bump up the effectiveness of the others.

A key differentiator for WhiteHat Security that makes it possible for us to provide all three to our customers is our Threat Research Center (TRC). Because of the TRC team’s hard work, we have the largest database of verified security vulnerabilities that helps WhiteHat Security’s Attack Vector Intelligence (AVI) technology, combining human and artificial intelligence, improve its accuracy. Discovered vulnerabilities are prioritized according to their severity, thus providing guidance on what should be remediated first. And can be run through the TRC for manual, in-house verification if necessary–with a guaranteed verdict within 24 hours.

 4. Security and business leaders experiencing relationship growing pains

 The industry has long called for business executives to pay more attention, ask more questions and become more involved overall in their companies’ cybersecurity postures and practices. At RSA, it was clear that these calls are being answered, and many C-level executives want to be a part of the security conversation—but there are some relationship growing pains.

These leaders now see the weight security has on a successful digital transformation and that a slip up could be sink or swim for their entire business. So they want the high level details. CISOs, however, can often only provide static information rather than the dynamic data these presentations need to be effective.

To help ease the strain, we saw a lot of risk quantifying tools at the show focused on providing info on a continual basis. So it’s great to see steps being taken to facilitate improvement in these communications!

 5. It’s a tech conference…where were the technical booth staff?

Beyond technological themes, one point was quite interesting: most booths were staffed heavily by sales-focused employees rather than those with deep technical knowledge.

For CTOs, CISOs, CSOs and other technical buyers, I can only imagine how frustrating it would be to get your badge scanned then spend 15-20 minutes listening to a high-level sales pitch without getting the answer to the most important question: “so what do you actually do?” Cue the endless follow-up calls and emails post-show! This is definitely something for exhibiting companies to consider next year, even if it’s just 1-2 experts onsite.

Overall, we just wanted to thank everyone who stopped by WhiteHat Security’s events and booth to chat with our researchers and executive team to learn more about how we can help you secure your digital business. And we’re looking forward to next year!