Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Evolution and the Movement of AppSec to the Cloud

DZone's Guide to

Evolution and the Movement of AppSec to the Cloud

In this article, MVB Jeannie Warner gives a quick overview of the evolution of the security field, specifically AppSec, and how the cloud will effect the field.

· Security Zone
Free Resource

Discover an in-depth knowledge about the different kinds of iOS hacking tools and techniques with the free iOS Hacking Guide from Security Innovation.

Time was, all you needed was anti-virus software to be secure in your hard-wired network. Then you needed a firewall. Then maybe a network scan to find your unpatched servers and services, and an intrusion detection device to monitor network traffic, and host-based detection. Then came anomaly detection, data loss prevention, encryption tools.

But then we got mobile devices, and executives fell in love with tablets. And then smart objects, from buildings to cars and medical devices. The boundaries of the network keep growing, but we security experts keep saying that the user is the weakest link.

I think that’s going to start to change, and that’s a good thing.

The boundaries have become the baseline; all the security methodologies from the past can now be found in fewer, multi-purposes devices, or via networked technologies with multi-vendor partnerships. I know SecIntel feeds from security companies are consumed by the products of others, helping make the whole ecosystem safer. Additionally, having those feeds lets the security experts in a company focus on threat intel to perform better risk analysis for their own organizations, leading to more focused investment and practices.

I’m seeing a similar coming of age in application security. WhiteHat Security has been performing application security testing for 15 years. That’s dynamic testing, source code testing, and penetration testing of web and mobile applications – all pieces of the security discipline required to harden applications against accidental and malicious misuse. 

Likewise, web application firewall (WAF) technology has improved, to monitor, control, and escalate attacks made against vulnerabilities in applications. The smarter we can make these WAFs, the more detailed responses become possible. Alerting is the first step of awareness, to know that an attacker is trying an entry. The increasingly sophisticated choices from informational emails, alerting, blocking, ignoring, and so forth put a lot in the hands of the security expert, as above.

And yet we all know there are a finite number of security experts available. This is why I appreciate technology partnerships like F5 and their Big-IP ASM WAF, who can take the application intelligence from one of our scans and create easy-to-execute rules on how to use the information to mitigate the risk while the DevOps team works (usually much more slowly) to remediate. Integration like this between vendors is absolutely the way of the future of our industry, working together.

This vendor sharing of information and capability matters even more in cloud computing. The cloud movement represents a conservation of resources, from human capital to power use and ecological footprint. Running one large data center or virtual environment saves companies from having to duplicate experts in NetSec and AppSec alike, and share security operations and monitoring.

I’m glad the movement toward the cloud has swept up both NetSec and AppSec under the greater auspices of keeping users and transactions safe. Tools alone aren’t the answer anymore, as IT teams (and budgets) are challenged to find ways to work smarter. We security vendors, and you, the businesses allowing users to do transactions and conduct their lives in the cloud, owe it to those users/customers to get along and find more ways to integrate.

Learn how to turn an automated scanning effort into an effective software security assessment, replete with complex vulnerability detection, risk rating, and remediation. 

Topics:
security ,appsec ,cloud

Published at DZone with permission of Jeannie Warner, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}