Cloud

3/22/2018
02:30 PM
Tyler Shields
Tyler Shields
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Is Application Security Dead?

The nature of the field has changed greatly because of the move to the cloud and enterprise digital transformation.

Spoiler alert: If application security isn't dead yet, its days are numbered. OK, this is an over-exaggeration, but fear not, application security engineers — the work you do is actually becoming more important than ever, and your budget will soon reflect this. Application security will never die, but it will have to morph to succeed.

Application security has been around for well over 15 years as a subset of enterprise security. Since the early 2000s, application security experts have made a great living assessing websites and selling application penetration tests. But today, more and more of those experts are changing titles from application security engineer to product security engineer. This is more than just a semantic shift; it reflects a real change in the nature of enterprise security. To understand its significance, consider the impact of two major industry trends: the move to the cloud and enterprise digital transformation.

The Move to the Cloud
The rapid rise of cloud, DevOps, and agile development has left security teams struggling to keep up. As applications are built using as-a-service platform, infrastructure, and function offerings such as Amazon Web Services, Pivotal, and Lambda, the traditional model of network- and host-based security is now in the hands of third-party providers. This abstraction has shrunk the security perimeter and forced traditional enterprise security experts to update their skills.

At the same time, we've also seen the rise of the DevOps security specialist. In the past, application security teams held responsibility for the security of code and ran static and dynamic analysis tools to help the development team vet their output. Now these techniques are being reinvented into a more DevOps-focused model where developers and operations teams analyze, secure, and repair their own code and deployments. This eases the burden on the already overtaxed application security team and puts security ownership where it belongs: in the hands of the team that built the application in the first place. Integrating application security into the continuous integration/continuous delivery pipeline also allows security verification to occur in real time, long the dream of application security experts.

Digital Transformation
Adding fuel to the fire is the transformation of enterprise business from traditional models to digital-first. Businesses of all kinds are now integrating digital technology into all areas of their products, services and operations to support new ways of delivering value.

As products move online, the domain of the security expert is expanding greatly. Applications are no longer limited to internally focused support systems — they're now the lifeblood of the organization and its most important revenue stream. It's no longer enough to focus on safeguarding a handful of web applications; application security engineers must now own security across entire product lines and protect the business itself.

The Rise of Product Security
In this light, the shift from application security to product security — as both a job title and a way of thinking about security — makes perfect sense. Cloud, DevOps, agile development, and the digital transformation they enable have rendered the traditional app-focused security perspective obsolete. It's not about securing a handful of line-of-business applications anymore. Security engineers are now responsible for the security of the products created to deliver value to customers, drive competitive differentiation, and advance corporate strategy.

The stakes have never been higher. A compromised in-house productivity app can temporarily disrupt or delay operations — but a compromised core product or service in the hands of customers can deal a devastating blow to the business itself.

The distinction may seem nuanced, but consider this: ask an executive how much sleep he or she loses worrying about the integrity of the company's applications and you're likely to get a blank stare. Now ask the same question about the integrity of the company's products.

Security engineers are right to embrace this new product-centric conception of their role. Hopefully, this shift will help bring awareness to the growing importance of their work — and help them secure the enhanced budget, resources, and tools they need to ensure the security of the products that power their business, and the businesses that power the new digital economy.  

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable experts. Check out the security track agenda here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to Save $200

Tyler Shields is Vice President of Portfolio Strategy at CA Technologies. Prior to joining CA, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrester Research. Before Forrester, he managed mobile solutions at Veracode, where he ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
blahblahblah123223232
50%
50%
blahblahblah123223232,
User Rank: Apprentice
3/22/2018 | 4:53:23 PM
Congratulations You've Been Accepted to ShillCon 2018!
Congratulations You've been accepted to ShillCon 2018!

 

ShillCon 2018 is the premiere information security conference for industry 'thought leaders' to tell us why were going to die unless we purchase thier product. We will declare dead and bring back all types of security vulnerabilites, real and made up by security company's marketing teams. No, this isn't the RSA conference, this is a totally unique conference where vendor peddle there wares, plus no good swag. As we always say, The More FUD the Better.

Sign up now!

ShillCon 2018 Website
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14505
PUBLISHED: 2018-07-22
mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to tools/web/app.py.
CVE-2018-14500
PUBLISHED: 2018-07-22
joyplus-cms 1.6.0 has XSS via the manager/collect/collect_vod_zhuiju.php keyword parameter.
CVE-2018-14501
PUBLISHED: 2018-07-22
manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring.
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.