Is Application Security Dead?The nature of the field has changed greatly because of the move to the cloud and enterprise digital transformation.
Spoiler alert: If application security isn't dead yet, its days are numbered. OK, this is an over-exaggeration, but fear not, application security engineers — the work you do is actually becoming more important than ever, and your budget will soon reflect this. Application security will never die, but it will have to morph to succeed.
Application security has been around for well over 15 years as a subset of enterprise security. Since the early 2000s, application security experts have made a great living assessing websites and selling application penetration tests. But today, more and more of those experts are changing titles from application security engineer to product security engineer. This is more than just a semantic shift; it reflects a real change in the nature of enterprise security. To understand its significance, consider the impact of two major industry trends: the move to the cloud and enterprise digital transformation.
The Move to the Cloud
The rapid rise of cloud, DevOps, and agile development has left security teams struggling to keep up. As applications are built using as-a-service platform, infrastructure, and function offerings such as Amazon Web Services, Pivotal, and Lambda, the traditional model of network- and host-based security is now in the hands of third-party providers. This abstraction has shrunk the security perimeter and forced traditional enterprise security experts to update their skills.
At the same time, we've also seen the rise of the DevOps security specialist. In the past, application security teams held responsibility for the security of code and ran static and dynamic analysis tools to help the development team vet their output. Now these techniques are being reinvented into a more DevOps-focused model where developers and operations teams analyze, secure, and repair their own code and deployments. This eases the burden on the already overtaxed application security team and puts security ownership where it belongs: in the hands of the team that built the application in the first place. Integrating application security into the continuous integration/continuous delivery pipeline also allows security verification to occur in real time, long the dream of application security experts.
Adding fuel to the fire is the transformation of enterprise business from traditional models to digital-first. Businesses of all kinds are now integrating digital technology into all areas of their products, services and operations to support new ways of delivering value.
As products move online, the domain of the security expert is expanding greatly. Applications are no longer limited to internally focused support systems — they're now the lifeblood of the organization and its most important revenue stream. It's no longer enough to focus on safeguarding a handful of web applications; application security engineers must now own security across entire product lines and protect the business itself.
The Rise of Product Security
In this light, the shift from application security to product security — as both a job title and a way of thinking about security — makes perfect sense. Cloud, DevOps, agile development, and the digital transformation they enable have rendered the traditional app-focused security perspective obsolete. It's not about securing a handful of line-of-business applications anymore. Security engineers are now responsible for the security of the products created to deliver value to customers, drive competitive differentiation, and advance corporate strategy.
The stakes have never been higher. A compromised in-house productivity app can temporarily disrupt or delay operations — but a compromised core product or service in the hands of customers can deal a devastating blow to the business itself.
The distinction may seem nuanced, but consider this: ask an executive how much sleep he or she loses worrying about the integrity of the company's applications and you're likely to get a blank stare. Now ask the same question about the integrity of the company's products.
Security engineers are right to embrace this new product-centric conception of their role. Hopefully, this shift will help bring awareness to the growing importance of their work — and help them secure the enhanced budget, resources, and tools they need to ensure the security of the products that power their business, and the businesses that power the new digital economy.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable experts. Check out the security track agenda here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to Save $200
Tyler Shields is Vice President of Portfolio Strategy at CA Technologies. Prior to joining CA, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrester Research. Before Forrester, he managed mobile solutions at Veracode, where he ... View Full Bio