Cloud

3/22/2018
02:30 PM
Tyler Shields
Tyler Shields
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Is Application Security Dead?

The nature of the field has changed greatly because of the move to the cloud and enterprise digital transformation.

Spoiler alert: If application security isn't dead yet, its days are numbered. OK, this is an over-exaggeration, but fear not, application security engineers — the work you do is actually becoming more important than ever, and your budget will soon reflect this. Application security will never die, but it will have to morph to succeed.

Application security has been around for well over 15 years as a subset of enterprise security. Since the early 2000s, application security experts have made a great living assessing websites and selling application penetration tests. But today, more and more of those experts are changing titles from application security engineer to product security engineer. This is more than just a semantic shift; it reflects a real change in the nature of enterprise security. To understand its significance, consider the impact of two major industry trends: the move to the cloud and enterprise digital transformation.

The Move to the Cloud
The rapid rise of cloud, DevOps, and agile development has left security teams struggling to keep up. As applications are built using as-a-service platform, infrastructure, and function offerings such as Amazon Web Services, Pivotal, and Lambda, the traditional model of network- and host-based security is now in the hands of third-party providers. This abstraction has shrunk the security perimeter and forced traditional enterprise security experts to update their skills.

At the same time, we've also seen the rise of the DevOps security specialist. In the past, application security teams held responsibility for the security of code and ran static and dynamic analysis tools to help the development team vet their output. Now these techniques are being reinvented into a more DevOps-focused model where developers and operations teams analyze, secure, and repair their own code and deployments. This eases the burden on the already overtaxed application security team and puts security ownership where it belongs: in the hands of the team that built the application in the first place. Integrating application security into the continuous integration/continuous delivery pipeline also allows security verification to occur in real time, long the dream of application security experts.

Digital Transformation
Adding fuel to the fire is the transformation of enterprise business from traditional models to digital-first. Businesses of all kinds are now integrating digital technology into all areas of their products, services and operations to support new ways of delivering value.

As products move online, the domain of the security expert is expanding greatly. Applications are no longer limited to internally focused support systems — they're now the lifeblood of the organization and its most important revenue stream. It's no longer enough to focus on safeguarding a handful of web applications; application security engineers must now own security across entire product lines and protect the business itself.

The Rise of Product Security
In this light, the shift from application security to product security — as both a job title and a way of thinking about security — makes perfect sense. Cloud, DevOps, agile development, and the digital transformation they enable have rendered the traditional app-focused security perspective obsolete. It's not about securing a handful of line-of-business applications anymore. Security engineers are now responsible for the security of the products created to deliver value to customers, drive competitive differentiation, and advance corporate strategy.

The stakes have never been higher. A compromised in-house productivity app can temporarily disrupt or delay operations — but a compromised core product or service in the hands of customers can deal a devastating blow to the business itself.

The distinction may seem nuanced, but consider this: ask an executive how much sleep he or she loses worrying about the integrity of the company's applications and you're likely to get a blank stare. Now ask the same question about the integrity of the company's products.

Security engineers are right to embrace this new product-centric conception of their role. Hopefully, this shift will help bring awareness to the growing importance of their work — and help them secure the enhanced budget, resources, and tools they need to ensure the security of the products that power their business, and the businesses that power the new digital economy.  

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable experts. Check out the security track agenda here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to Save $200

Tyler Shields is Vice President of Marketing, Strategy, and Partnerships at Signal Sciences. Prior to joining Signal Sciences, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrest Research. Before Forrester, he managed mobile ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
blahblahblah123223232
50%
50%
blahblahblah123223232,
User Rank: Apprentice
3/22/2018 | 4:53:23 PM
Congratulations You've Been Accepted to ShillCon 2018!
Congratulations You've been accepted to ShillCon 2018!

 

ShillCon 2018 is the premiere information security conference for industry 'thought leaders' to tell us why were going to die unless we purchase thier product. We will declare dead and bring back all types of security vulnerabilites, real and made up by security company's marketing teams. No, this isn't the RSA conference, this is a totally unique conference where vendor peddle there wares, plus no good swag. As we always say, The More FUD the Better.

Sign up now!

ShillCon 2018 Website
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.