A new approach to AppSec

Application development practices continue to evolve, enabling development teams to deliver applications at a pace never before thought possible. At the same time, cyber-criminals have developed new levels of attack strategies and intensified their focus, making it more important than ever to scrutinize applications for security vulnerabilities.

Development and security teams have responded by shifting security further left and investing in tooling integrations. Many believe that improved DevOps integration is the answer, with 43% of respondents to a recent survey by Enterprise Strategy Group (ESG) saying it is one of the most important things they can do to improve their application security (AppSec) programs. Additionally, 58% of organizations report that AppSec is their top security investment priority.

Yet while organizations continue to invest in AppSec, they have big challenges to overcome:

• Developers often lack the knowledge to mitigate issues
• Integration between disparate tools is difficult
• Friction caused by security tools is slowing down development velocity

With digital transformation initiatives continuing to accelerate, development teams are forced to make tough decisions between meeting time-to-market objectives and mitigating risk. Despite ongoing investments in AppSec programs, many organizations admit to pushing application changes with known vulnerabilities. Many point to the need to meet critical deadlines as the main culprit.

Current security strategies are simply not scaling to keep up with modern development practices. A new approach to AppSec is needed.

Next-generation AppSec

It’s clear that integrating and automating security testing tools in CI pipelines to test everything all the time doesn’t scale to meet the demands of modern application development. Simply stated, software security is impeding DevOps velocity. Organizations need to modernize their approach.

What's needed

• A new, risk-driven, security-where-needed approach, focusing more-stringent controls on higher-risk application changes while backing off security testing in lower-risk areas
• Individual application risk profiles aligned to security policies
• Defined automated rulesets that govern how risk is managed, enabling a more intelligent, automated orchestration process
• An orchestration process that operates independently of the core DevOps pipeline
• A solution that's optimized for personas, providing security analysts with the right tools and information to assess risk, while providing developers with the right information and tools to mitigate risk