Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/22/2018
02:30 PM
Tyler Shields
Tyler Shields
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Is Application Security Dead?

The nature of the field has changed greatly because of the move to the cloud and enterprise digital transformation.

Spoiler alert: If application security isn't dead yet, its days are numbered. OK, this is an over-exaggeration, but fear not, application security engineers — the work you do is actually becoming more important than ever, and your budget will soon reflect this. Application security will never die, but it will have to morph to succeed.

Application security has been around for well over 15 years as a subset of enterprise security. Since the early 2000s, application security experts have made a great living assessing websites and selling application penetration tests. But today, more and more of those experts are changing titles from application security engineer to product security engineer. This is more than just a semantic shift; it reflects a real change in the nature of enterprise security. To understand its significance, consider the impact of two major industry trends: the move to the cloud and enterprise digital transformation.

The Move to the Cloud
The rapid rise of cloud, DevOps, and agile development has left security teams struggling to keep up. As applications are built using as-a-service platform, infrastructure, and function offerings such as Amazon Web Services, Pivotal, and Lambda, the traditional model of network- and host-based security is now in the hands of third-party providers. This abstraction has shrunk the security perimeter and forced traditional enterprise security experts to update their skills.

At the same time, we've also seen the rise of the DevOps security specialist. In the past, application security teams held responsibility for the security of code and ran static and dynamic analysis tools to help the development team vet their output. Now these techniques are being reinvented into a more DevOps-focused model where developers and operations teams analyze, secure, and repair their own code and deployments. This eases the burden on the already overtaxed application security team and puts security ownership where it belongs: in the hands of the team that built the application in the first place. Integrating application security into the continuous integration/continuous delivery pipeline also allows security verification to occur in real time, long the dream of application security experts.

Digital Transformation
Adding fuel to the fire is the transformation of enterprise business from traditional models to digital-first. Businesses of all kinds are now integrating digital technology into all areas of their products, services and operations to support new ways of delivering value.

As products move online, the domain of the security expert is expanding greatly. Applications are no longer limited to internally focused support systems — they're now the lifeblood of the organization and its most important revenue stream. It's no longer enough to focus on safeguarding a handful of web applications; application security engineers must now own security across entire product lines and protect the business itself.

The Rise of Product Security
In this light, the shift from application security to product security — as both a job title and a way of thinking about security — makes perfect sense. Cloud, DevOps, agile development, and the digital transformation they enable have rendered the traditional app-focused security perspective obsolete. It's not about securing a handful of line-of-business applications anymore. Security engineers are now responsible for the security of the products created to deliver value to customers, drive competitive differentiation, and advance corporate strategy.

The stakes have never been higher. A compromised in-house productivity app can temporarily disrupt or delay operations — but a compromised core product or service in the hands of customers can deal a devastating blow to the business itself.

The distinction may seem nuanced, but consider this: ask an executive how much sleep he or she loses worrying about the integrity of the company's applications and you're likely to get a blank stare. Now ask the same question about the integrity of the company's products.

Security engineers are right to embrace this new product-centric conception of their role. Hopefully, this shift will help bring awareness to the growing importance of their work — and help them secure the enhanced budget, resources, and tools they need to ensure the security of the products that power their business, and the businesses that power the new digital economy.  

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable experts. Check out the security track agenda here. Early Bird Rates Expire Friday March 23. Use Promo Code DR200 to Save $200

Tyler Shields is Vice President of Portfolio Strategy at CA Technologies. Prior to joining CA, Shields covered all things applications, mobile, and IoT security as distinguished analyst at Forrester Research. Before Forrester, he managed mobile solutions at Veracode, where he ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
blahblahblah123223232
50%
50%
blahblahblah123223232,
User Rank: Apprentice
3/22/2018 | 4:53:23 PM
Congratulations You've Been Accepted to ShillCon 2018!
Congratulations You've been accepted to ShillCon 2018!

 

ShillCon 2018 is the premiere information security conference for industry 'thought leaders' to tell us why were going to die unless we purchase thier product. We will declare dead and bring back all types of security vulnerabilites, real and made up by security company's marketing teams. No, this isn't the RSA conference, this is a totally unique conference where vendor peddle there wares, plus no good swag. As we always say, The More FUD the Better.

Sign up now!

ShillCon 2018 Website
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...