To better understand market dynamics and our clients' challenges, I ensure I communicate regularly with those on the front lines, either at a practitioner or executive level.
Recently, I participated in an executive event where vendors and delegates are matched based on responsibilities, projects, and solution fit. Being in the software industry for over 20 years, I have seen software creep into nearly every aspect of our daily lives. However, I'm still amazed at just how software-centric (and dependent) organizations are today, whether they are building internal software applications, utilizing infrastructure that's mostly code, or engineering products for resale.
Here are some observations:
Those responsible for application and software security are wide-ranging
The range of titles and job functions was broad. Still, the constant is bearing some level of responsibility for the security of their enterprise's critical infrastructure or the products they sell to customers:
- CISOs at large retailers that want a variety of training and testing solutions for their internal product and IT/infrastructure teams
- Head of Application Security for the world's largest online retailer needs security testing on everything from cloud & mobile applications to robotic process automation systems, global transportation vehicles & associated telematics, and embedded IoT devices.
- Product Security Director with 2,000 developers who wants to build a security champions program
- Enterprise Information Risk Management that directs InfoSec teams and internal development/IT teams on business risk seeking help to comply with the COSO framework
- Head of Cloud Security whose current project is to get all the related IT stakeholders knowledgeable about security now that most of their digital transformation is complete: executives, analysts, developers, cloud engineers, architects, DBAs, et al.
Filling the Skills Gap
This isn't just a problem for InfoSec or Cyber Security teams, but for job functions ranging from Business Analyst to Product/Application Development Teams - and just about anybody dealing with Cloud-anything!
Some have tried various training programs with limited success. Others use scanning solutions but know they reduce just a fraction of the risk in their software by finding only known and less critical vulnerabilities.
I was surprised at how many people proactively mentioned unskilled staff and staff proficiency as an impediment to success. I was also surprised by some of the delegates requesting meetings with us - a movie cinema chain in Canada, an automotive tire distributor, and a company that actually makes IT training software and content itself!
Progressive & incentive programs
Several executives expressed a desire to build belt and champions. I shared Gartner's report "3 Steps to Integrate Security Into DevOps," wherein they provide a prescriptive playbook for building security into software & IT teams. They call for creating a belt system that includes multiple learning modes, i.e., traditional classroom or online courses coupled with hands-on simulations (they mention capture the flag [CTF] exercises) and on-the-job tasks related to the learning.
Role-based training (aka "job function" training)
- Three of the first ten delegates I spoke with were already using secure coding training products but were disappointed with the results, feedback, and inability to reach non-coding roles critical in securing software across the enterprise and its cloud deployments. Three others had "general IT training with some security courses" that needed more contextual training on their enterprise's technologies and specific threats. Kudos to our products team, who saw software modernization happening years ago, and that it would rely less on developers and code and more on software/Devops/Engineers assembling from different parts.
The need to align skills with process and compliance mandates
- A point that came up frequently but was seldom tied to any specific framework. Most companies admitted to taking requirements, combining similar controls, and creating their own custom or specific set of guidelines shared across various groups. This is encouraging because it reinforces that organizations are looking to address the root cause of vulnerable software – gaps in skills and activities – and not only thinking about what security activities to conduct but how to do those correctly.
Cloud Security and Application/Software Security are Converging
Whether it was an active project specific to building and securing an application or dealing with software as part of a larger system, most needs were expressed as "cloud security" or "application security" projects. However, during our discussion, it was abundantly clear that these are fast becoming one and the same because the business application and the infrastructure it runs are software.
The delegates who listed AppSec and CloudSec needs were from all verticals, and at different phases of maturity, yet, their pain points and technology stacks were very similar. Other notes:
- "Lift and shift" migration is still king in 2023
- Many are still in the process of migrating to the cloud (apps, infrastructure, etc.)
- Roughly half were in the midst of or kicking off a digital transformation/modernization project
- Some larger organizations, like a top 5 US Bank, were in the middle of a multi-year migration strategy
- Some were already rewriting applications to cloud-native apps, but this was the exception
- Many are multi-cloud environments, making configuration and expertise even more challenging
Application Security was almost as omnipresent as cloud because software now manages nearly all aspects of critical business systems. In support of this observation, SC Media nailed it with this piece about Application and Cloud Security converging in 2023. For cloud-dependent organizations, AppSec is now almost a subset of Cloud Security and needs to be thought about differently. Traditional AppSec skills development needs have evolved to include all those that build, operate, and defend the software cloud that now is our digital enterprise. Application security has become inextricable from the underlying cloud infrastructure, and cloud security must consider the application layer for attack path analysis. For example, what was before limited to identifying vulnerabilities in code and cloud service configurations must now include the risks within the applications — access controls and escalations that could allow for misuse of data, misdirection of funds, and potential command of one's entire corporate infrastructure.
About Ed Adams, CEO
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since 2002 and as CEO since 2003. Ed has held senior management positions at Rational Software, Lionbridge, Ipswitch, and MathSoft. He was also an engineer for the US Army and Foster-Miller earlier in his career.
Ed is a Ponemon Institute Research Fellow, Privacy by Design Ambassador by the Information & Privacy Commissioner of Canada, Forbes Technology Council Member, and recipient of multiple SC Magazine’s Reboot Leadership Awards. He sits on the board of Cyversity, a non-profit committed to advancing minorities in the field of cyber security, and is a BoSTEM Advisory Committee member.