Another RSA show bites the dust, and we had a great week! Even after attending our blow-out party at the SF Mint (where I admittedly had a little too much fun), and a two-day Speakeasy where I talked to customers and partners, I found my way to the RSA show floor.
Rather than trying to do the impossible and tease out the reality from all claims related to AI/ML, I kept it simple. I focused on application security. I figured that made sense since a) the bulk of the risk identified by Bugcrowd is in the application layer, and b) it’s pretty clear that most people are trying to move to a software-centric value proposition. Since the true intellectual property is in the applications and the data, you would think the security industry would follow along and innovate in appsec.
Well, all I can say is that there wasn’t much evidence of this trend on the floor. There were very few companies that positioned stronger security at the application layer. Some came close – for example trying to model container behavior to find a compromise, but very few tried to produce actual software that is harder to hack.
I can understand why this is the case. Organizational silos continue to persist, and DevSecOps might be cool, but still difficult finding serious budget to fuel it. Application security is just a very different tech compared to traditional security. And it’s unfortunate ( I’m being polite here). Applications are built (or assembled if you prefer) by people, and people make mistakes. If you can harden the app, you take the pressure off all that security tech I saw at the show to cover for application flaws. And you don’t have to worry about ensuring that security tech is actually in place between the app and whatever it’s talking to – no easy task these days.
With all that said, I came away thinking we’ve got the right approach to crowdsourced security. Assume developers will err and deal with it head-on. Use the same creativity your adversaries use to find bad flaws in the apps you care about and make sure those flaws get patched. Effective and efficient…unlike trying to make sense of the cacophony that is the RSA Expo floor.