Rich Mogull talks about real world IT security challenges today in his column, "Simple Isn't Simple" in Dark Reading. I agree 100%. One of the Rich's points is security has to scale or it doesn't solve the real world problem. In most cases we know how to solve a security problem for a single instance of that problem; one SQL injection flaw in one app, for instance. The challenge is doing it at scale. If you can’t do it at scale you don’t solve the problem for the business.
Firewalls need to be on every ingress/egress point in the organization or they don’t solve the problem. Firewall technology has to scale to be manageable over every connection and work on every size pipe. Network vulnerability scanners have to scale to scan every system in the enterprise. Patch management solutions need to scale to manage every system with any OS. Likewise the only way to solve application security is to scale it to every release of every app. At Veracode we don't just focus on the accuracy of our application security solution. We also focus on our solution working well at large enterprise scale. Our mission is to make it possible for an organization, no matter how large, to perform security testing on all apps: every release, from every source (in house, outsourced, vendor, open source), and on every platform. We have customers that are statically scanning 1000 different applications this year. We have dynamically scanned 3000 web sites for one customer in 8 days. Scaling well is also not just the absolute number you can get to, but how quickly you can get there. Scaling application security is a hard problem that requires automation and humans. Manual effort cannot be eliminated so it needs to be made as efficient as possible. This can be done by offloading the parts of testing that can be automated to automated solutions. Let humans find authorization issues and machines find SQL injection. If humans don't scale well then application security experts scale less well. We should design solutions where tasks that need humans can be performed by more available resources. Let QA people crawl through business logic constraints and feed that crawl into automation rather than drive tools with application security experts. These are some of the approaches we are taking as we learn how to drive application security testing through huge application portfolios.