Application Security Today

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “How is your company securing applications?” Here’s what they told us:

• We protect applications from the inside, adding sensors that understand the context of what the application is actually doing. This level of visibility beats external controls (e.g., understanding that NoSQL databases are not vulnerable to SQL Injection).
• We have empathy for the developer since 80% of our clients are developers. We know developers are being asked to make something that’s relevant, useful, popular, scalable, performant, and secure. We begin by understanding that developers have a lot on their plates, and we think about how to make their lives as easy as possible. We make the AppSec concern consumable and actionable by the developer.
• We can answer this question from two perspectives: how we help users of our Application Release Orchestration platform deliver secure software (including reporting in order to provide a paper trail of the various techniques used to secure the produced applications) and how we help ISVs that are building software that needs to be secure.
  
  Our platform provides clients with a way to create enterprise pipeline templates to document and execute all steps from code commit to production. These templates can serve as a yellow brick road to production that includes all manual and automated steps, amongst which security scanning is done as part of the process. The “shift left” practice in DevSecOps is helping organizations improve quality and security by moving to test earlier in the release process, and our DevOps Platform makes this process auditable and explicit. We do this by integrating other vendors, such as SonarQube, Black Duck, Checkmarx and Fortify, into pipelines, which can prevent the release from going forward as security violations are identified, even with the new discovery of zero-day vulnerabilities during the release process.
  
  Additionally, our security and compliance dashboard templates enable release managers and DevOps engineers to track security issues in applications that need to meet IT compliance requirements. We help them identify applications that are failing to meet security standards. The dashboard gives the team a complete overview of test results from the static application security testing (SAST), dynamic application security testing (DAST), and open source security management (OSSM) tools in their release pipelines.
• We segment applications from each other and give them their own authenticated and encrypted network. Using a full PKI implementation, secure tunnels, dedicated data centers, and direct dedicated connections to cloud application providers we secure applications on a network end-to-end.
• DevSecOps is the way to secure the application across the entire lifecycle — securing left, programming, building, and production is application security throughout the lifecycle. Development is getting faster, and application security needs to be able to support development.

Here’s who shared their insights:

• Erik Costlow, Developer Relations, Contrast Security
• James McClay, Product Manager, Cybera
• Doug Dooley, COO, Data Theorem
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs