Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Jeff Williams, Co-Founder, Chief Technology Officer, Contrast Security
2018: The Year of Rapid Convergence in the Application Security Product Market
The need for application security has never been more
critical. As businesses are transformed from real world functions into digital
ones, the amount of code being produced continues to skyrocket. We are seeing a rapid increase in the number
of libraries and frameworks in use, the number of connections made by
applications and APIs and the speed of deployment. All of these factors make
applications more difficult to secure. Meanwhile, applications are being used for
more and more critical things. To anyone paying attention, it's pretty obvious that we'll see more and more breaches in 2018 and beyond.
In order to make progress in application security, we must
automate. There simply aren't enough experts to do the job manually. Note even close. In fact, tools designed for experts don't
help, as they are difficult to install, burdensome to run and complex to
interpret the output. If an expert has
to be involved, it's really not automation at all. We need tools that novice developers and
operations staff can use effectively. To scale effectively, application
security tools have to run continuously across an entire application portfolio
in parallel.
In the early 2000's three technologies emerged to help.
Static code scanners (SAST), dynamic HTTP scanners (DAST) and web application
firewalls (WAF). These technologies require experts, and therefore have never
scaled particularly well, and they struggle with modern applications that
contain large numbers of libraries, are composed of APIs, deploy in cloud and
containers and use DevOps to deploy quickly.
In the past few years, several new categories of tools have
emerged. The confusingly named "software composition analysis" (SCA) tools
identify libraries with known vulnerabilities.
Interactive application security testing (IAST) uses software
instrumentation to analyze applications from within. Similarly, Runtime Application Security
Protection (RASP) works from inside an application to prevent attacks from
exploiting applications.
Organizations struggle with this application security "tool
soup." We are already starting to
see platforms emerge that allow all these capabilities to be deployed as part
of a single technology. This "unified" application security platform will
perform a combination of SAST, DAST, IAST, WAF, RASP and SCA functions. These
tools will enhance each other's capabilities by sharing what they have learned
about how the application works. Instead
of generating PDF reports, they will notify all the right people through the
tools they are already using, like Eclipse, Visual Studio, Jenkins, Slack,
HipChat, Splunk, ArcSight, PagerDuty and VictorOps.
Application security is too important to trust to a
patchwork of unintegrated tools. The
market in 2018 will driving towards a unified approach that covers
organizations in two ways. Developers
are empowered to deliver clean, secure code and operations gains confidence
that attacks are identified and blocked in production. Don't wait until the storm hits to install
the hurricane shutters. The future will
be won by those who are prepared for the storm.
##
About the Author
Jeff
Williams, Co-Founder, Chief Technology Officer
Jeff brings more than 20 years of security leadership
experience as co-founder and Chief Technology Officer of Contrast. In 2002,
Jeff co-founded and became CEO of Aspect Security, a successful and innovative
consulting company focused on application security. Jeff is also a founder and
major contributor to OWASP, where he served as the Chair of the OWASP Board for
8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP
Application Security Verification Standard, XSS Prevention Cheat Sheet, and
many other widely adopted free and open projects. Jeff has a BA from Virginia,
an MA from George Mason, and a JD from Georgetown.