DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. AppSec Concerns

AppSec Concerns

Misleading representations by solution providers, lack of culture adoption, and lack of progress.

Tom Smith user avatar by
Tom Smith
CORE ·
Aug. 09, 19 · Opinion
Like (1)
Save
Tweet
Share
3.34K Views

Join the DZone community and get the full member experience.

Join For Free

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “Do you have any concerns regarding the current state of application security?” Here’s what they told us: 

  • Terminology is a concern, where different tools simply claim to be things that they are not and lead to a false sense of integration. For example, WAF vendors are a network tier: security in the front, application in the back. While they may claim visibility into the runtime, they do not actually achieve this and therefore cannot achieve accuracy.
  • Culture. Security has grown up with pen testing and modern tools, the software has grown with cloud and scale. We need to automate security. We need security to embrace automation.
  • 1) Internal threats (nothing new), 2) Machine Identity (due to Internet of Things/containers), 3) Security Vulnerability Administration and Patching strategy (due to more software and microservices, so more runtimes), 4) The risk of a hacker jumping from a low-risk component to a higher-risk component (due to microservices and containers, with bulkhead pattern being an example to safeguard against that).
  • We commonly see application security is only applied to a certain portion of a network, but a truly secure approach applies end-to-end. Our solution secures an application throughout a packet’s journey from source to destination.
  • AppSec is not getting better. Vulnerabilities are not being fixed fast enough. Every code fix has to go back and be tested for vulnerabilities, quality, and performance. Then, the entire application level needs to be tested. It takes a lot of time. There is a lack of understanding of how much testing is necessary, when to use tools instead of services, and how necessary vulnerability remediation is. DevOps is the right approach to develop applications, but today, it results in paying less attention to security. Adopt a security-first mindset.

Here’s who shared their insights:

  • Erik Costlow, Developer Relations, Contrast Security
  • James McClay, Product Manager, Cybera
  • Doug Dooley, COO, Data Theorem
  • Joseph Feiman, Chief Strategy Officer, WhiteHat Security
  • Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
Application security

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Fraud Detection With Apache Kafka, KSQL, and Apache Flink
  • Top Three Docker Alternatives To Consider
  • Select ChatGPT From SQL? You Bet!
  • Stream Processing vs. Batch Processing: What to Know

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: