I always like attending the annual Gartner Security and Risk Management in Washington DC because a) I get to do a run around the National Mall and White House, and b) I get to hear what the Gartner analysts are telling their customers. Love ‘em or hate ‘em, Gartner has a lot of mindshare at the executive level, and to be fair they do spend a lot of time listening to IT Security people. At this year’s show, I focused on application security and here were my take-away’s.
AppSec is Hard
No surprise here: AppSec is just plain complicated, and the number of technologies coming to market has expanded rapidly in the last couple of years. In addition to Dev and Sec having different priorities, the rapid change in application deployment models (i.e., serverless computing) coupled with the reality that enterprises are doing “all of the above” in some fashion (i.e., legacy, VMs, containers, etc) creates an extremely daunting challenge.
There were numerous sessions and vendor pitches on how to best integrate security with agile/DevOps style development. Trying to secure applications that are continuously changing is going to require a lot of new processes and product support. I would go as far as saying that most of the developments (and definitely the marketing budget) in the AppSec space is related to that trend. The primary mantra was “shift security left” in the development process, but a couple of Gartner analysts bucked the trend and advocated a “deploy first, test second” alternative. They just didn’t see shifting security left as realistic for most shops. Time will tell!
Crowdsourced security is going mainstream
Multiple analysts mentioned bug bounty programs as part of the AppSec solution set, and interestingly positioned it for both the left side (“Dev”) and right-side (“Ops”) portions of the software development lifecycle. Dale Gardner, Gartner research director for the technology and service provider security group, did a great presentation called “The Wisdom of Crowds: Crowdsourced Security Testing Platform Market Gains Momentum,” illustrating adoption rates, the forces driving change in the industry and the momentum seen over the past couple of year. Security skilled people are few on the ground in most organizations, and pentests are not doing enough to decrease risk. So the momentum is definitely building.
While there’s still a pretty firm line between AppSec and general IT Security, it’s starting to sink in that infrastructure-based controls are much less relevant I saw a lot fewer “What firewall should you buy” type presentations this year, replaced by topics like “How to secure your APIs”. No doubt that trend is unstoppable.