To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “Do you have any concerns regarding the current state of application security?” Here’s what they told us:
- Terminology is a concern, where different tools simply claim to be things that they are not and lead to a false sense of integration. For example, WAF vendors are a network tier: security in the front, application in the back. While they may claim visibility into the runtime, they do not actually achieve this and therefore cannot achieve accuracy.
- Culture. Security has grown up with pen testing and modern tools, the software has grown with cloud and scale. We need to automate security. We need security to embrace automation.
- 1) Internal threats (nothing new), 2) Machine Identity (due to Internet of Things/containers), 3) Security Vulnerability Administration and Patching strategy (due to more software and microservices, so more runtimes), 4) The risk of a hacker jumping from a low-risk component to a higher-risk component (due to microservices and containers, with bulkhead pattern being an example to safeguard against that).
- We commonly see application security is only applied to a certain portion of a network, but a truly secure approach applies end-to-end. Our solution secures an application throughout a packet’s journey from source to destination.
- AppSec is not getting better. Vulnerabilities are not being fixed fast enough. Every code fix has to go back and be tested for vulnerabilities, quality, and performance. Then, the entire application level needs to be tested. It takes a lot of time. There is a lack of understanding of how much testing is necessary, when to use tools instead of services, and how necessary vulnerability remediation is. DevOps is the right approach to develop applications, but today, it results in paying less attention to security. Adopt a security-first mindset.
Here’s who shared their insights: