The future of AppSec: Stop fighting the last war
It’s a cornerstone of military doctrine: when you focus too much on the last battle you faced, you miss signs of the new battleground taking shape. The principle holds as true for cybersecurity as it does for cavalries and tanks.
The surest way to put your organization at risk is to keep your defense strategy rooted in the past – especially it wasn’t all that effective in the first place. If tactics like slow gatekeeping controls haven’t been able to fix the kind of security vulnerabilities we’ve been seeing for years, how will they hold up against the next hacker innovation?
It’s not only threats that are evolving, of course. The ways we create apps are changing quickly as well, with the rise of new models like microservices, API-first design, and single-page apps, and the ongoing adoption of DevOps and Agile. Even within a single organization, different teams may be using different development approaches to build different kinds of apps for different architectures. Traditional siloed approaches to application security just aren’t relevant to our needs today.
Clearly, it’s time to stop looking backward and start looking ahead. How can we defend ourselves against threats when we don’t even know what form they will take? The key is to change the way we look. Approaches based on patterns or signatures will only detect threats that have already been identified. Instead, we need to be able to see signs of attack of any form, anywhere in the environment, against any type of application, in real time.
What can you do to shift your organization to a forward-looking, ready-for-anything security posture? There are three main things to focus on: empowerment, flexibility, and rapid response.
Traditional cybersecurity has centered on complex tools in the hands of skilled experts. This poses two obvious problems: first, it forces development and DevOps teams to rely on a separate, siloed security team, introducing friction and opening a gap in what needs to be a fast and efficient workflow. And second, it presupposes that such experts are readily available in the first place—and as anyone trying to hire a security engineer can tell you, that’s not the case.
To eliminate the reliance on scarce security expertise, organizations need to break down the silos that exist between security, development, and operations, and empower everyone on those teams with security technologies they can use themselves. Developers and DevOps teams need to be able to build security into their own apps, with the autonomy to handle the threats they’ll actually face – not just the threats they used to face. And they’ve got to be able to do it faster, in real time.
By necessity, this will call for an inclusive approach to technology to accommodate the diverse development approaches various teams may take. To make application defense an integrated and efficient part of their processes, people need to be able to add security elements into the development and communication tools they’re already using, such as JIRA, Datadog, PagerDuty, and Slack.
Just as security tools need to be able to accommodate every type of user, security technologies must provide strategic coverage across every platform in the enterprise—any cloud, container, PaaS, IaaS, language, or infrastructure. The days when IT could dictate technology choices are long gone; development and DevOps teams now make their own decisions independently, bringing a diverse mix of platforms into the environment. Acquisitions can bring further variety, as new groups arrive with well-established stacks of their own.
Trying to mandate a standard security architecture and forcing teams to adapt or rewrite their apps accordingly will spark a revolt, as teams simply route around the new requirement. For that matter, settling on a single architecture also locks out future options; containers and microservices might not seem important to a given organization today, but they may feel differently a year from now.
Instead, companies need to be able to cover the full spectrum of platforms—any cloud, container, PaaS, IaaS, language, or infrastructure—with security technology that can be deployed in any manner, including NGWAF, RASP, and reverse proxy modes. That way, development and DevOps teams remain free to make technology choices based on the needs of their apps and the business, not the arbitrary limitations of a security tool.
At the end of the day, cybersecurity is about detecting, disrupting, and preventing attacks in whatever form they may take. Traditional approaches focused on point solutions that addressed only isolated pieces of the picture. This made for slow, ponderous processes that couldn’t possibly keep up with rapidly evolving and diversifying threats, not to mention the need for faster application development.
Security needs to focus on what’s happening right now, across the live production environment, including threats of all types—OWASP Top 10, application DDoS, unique business logic flaws, brute force attacks, rate limiting, account takeover, bots, and whatever else hackers might throw at you. Is our login page seeing a spike in failed attempts? Are user accounts being cross-linked to payment instruments at an alarming rate? Are the critical business functions within an app diverging wildly from established baselines? By evaluating real activity in real time, across multiple vectors, you can better understand the context of what you’re seeing, and make the right decisions about your response—fast.
Don’t leave your organization’s defense in the hands of yesterday’s security technologies. Successful organizations are meeting these new challenges head on by focusing on empowerment, flexibility, and rapid response.