Virtualization Technology News and Information
Article
RSS
Contrast Security 2018 Predictions: The Year of Rapid Convergence in the Application Security Product Market

VMblog Predictions 2018

Industry executives and experts share their predictions for 2018.  Read them in this 10th annual VMblog.com series exclusive.

Contributed by Jeff Williams, Co-Founder, Chief Technology Officer, Contrast Security

2018: The Year of Rapid Convergence in the Application Security Product Market

The need for application security has never been more critical. As businesses are transformed from real world functions into digital ones, the amount of code being produced continues to skyrocket.  We are seeing a rapid increase in the number of libraries and frameworks in use, the number of connections made by applications and APIs and the speed of deployment. All of these factors make applications more difficult to secure.  Meanwhile, applications are being used for more and more critical things.  To anyone paying attention, it's pretty obvious that we'll see more and more breaches in 2018 and beyond.

In order to make progress in application security, we must automate. There simply aren't enough experts to do the job manually.  Note even close.  In fact, tools designed for experts don't help, as they are difficult to install, burdensome to run and complex to interpret the output.  If an expert has to be involved, it's really not automation at all.  We need tools that novice developers and operations staff can use effectively. To scale effectively, application security tools have to run continuously across an entire application portfolio in parallel.

In the early 2000's three technologies emerged to help. Static code scanners (SAST), dynamic HTTP scanners (DAST) and web application firewalls (WAF). These technologies require experts, and therefore have never scaled particularly well, and they struggle with modern applications that contain large numbers of libraries, are composed of APIs, deploy in cloud and containers and use DevOps to deploy quickly.

In the past few years, several new categories of tools have emerged. The confusingly named "software composition analysis" (SCA) tools identify libraries with known vulnerabilities.  Interactive application security testing (IAST) uses software instrumentation to analyze applications from within.  Similarly, Runtime Application Security Protection (RASP) works from inside an application to prevent attacks from exploiting applications.

Organizations struggle with this application security "tool soup."  We are already starting to see platforms emerge that allow all these capabilities to be deployed as part of a single technology. This "unified" application security platform will perform a combination of SAST, DAST, IAST, WAF, RASP and SCA functions. These tools will enhance each other's capabilities by sharing what they have learned about how the application works.  Instead of generating PDF reports, they will notify all the right people through the tools they are already using, like Eclipse, Visual Studio, Jenkins, Slack, HipChat, Splunk, ArcSight, PagerDuty and VictorOps.

Application security is too important to trust to a patchwork of unintegrated tools.  The market in 2018 will driving towards a unified approach that covers organizations in two ways.  Developers are empowered to deliver clean, secure code and operations gains confidence that attacks are identified and blocked in production.  Don't wait until the storm hits to install the hurricane shutters.  The future will be won by those who are prepared for the storm.

##

About the Author

Jeff Williams 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. In 2002, Jeff co-founded and became CEO of Aspect Security, a successful and innovative consulting company focused on application security. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

Published Thursday, December 21, 2017 6:31 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2017>
SuMoTuWeThFrSa
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456