I’ve been doing leading edge security technologies for decades now and I am watching it happen again - the pattern I’ve seen as a security vendor product manager. The Wheel of Security Time turns and the next age begins. It’s never THE beginning, but often there is A beginning.
At first, when there is something new, nobody knows what it is or how to categorize it. Then, people begin to recognize it when you make some progress with early adopters and thought leaders. After that people want it (or it never gets to that stage and you’re on to the next big thing). Finally, people begin to use it. Then, as Gartner’s Hype Cycle will tell you there is disillusionment period because too much was projected on the product or service, followed by a realization of how best to productively use it. We’ve documented this to some extent with our Application Security Model and research.
A couple of years ago when I would speak to people looking for application security training they were looking at training mostly in isolation. They were either in the trough of the Application Security Model (mirroring a Static Analysis Hype Cycle) or they were facing a compliance failure. They just wanted to roll out some training or have some assessments to check the box, find or solve vulnerabilities, or worse yet, the security people were hoping to get developers to take the training without having worked with the development team to agree it is required or how practices would be integrated into the development process.
Over the last year I have seen something that those of us around Application Security for a long time have been hoping for. We have customers coming to us who are asking to look top down at the process first, or who are looking for help with training, assessments, or even a holistic security program in context. Security people are working together with development to figure out needs and improve the process from beginning to end, just like they learned to work with sys admins on a patching program. Smart security management is hiring developers into their organization to help make the connection. They are doing or have done application risk classifications and are focusing on closing down the highest risk vulnerabilities in the highest risk applications rather than just being paralyzed by a huge report. They are asking us to teach them how to do their own security testing and dedicating resources to it, not to mention doing threat models, risk ranking, and setting specific and actionable application security policies – and then verifying their own compliance.
So, while the problem is not solved, as Ed Adams, our CEO, has eloquently documented, I see people beginning to tackle the problem. My observations are anecdotal and not scientific. Like firewalls, then patching, then system configuration – all of which are not solved, but all of which are a lot better than they were – The Wheel of Security Time spins and we are entering an age of application security. It’s never THE beginning, but often there is A beginning.
With apologies to Robert Jordan, and Brandon Sanderson of course.