I've been covering the vagaries of AppSec for the better part of a decade now. And in spite of all the evidence that has surfaced over the years that points to the application layer as one of the riskiest in the IT infrastructure, I've observed that most IT programs haven't matured their AppSec programs accordingly. The level of investment and attention to detail in enterprise application security is, on average, not commensurate with the risk.
According to recent figures from SANS, about half of enterprises spend 10 percent or less of the overall IT budget on application security, and another 34 percent don't know what that percentage is — a good clue that the number is pretty small. Looking at those stats, it's no surprise why the news bleeds ink about data breaches just about every day now.
So Why the Lag?
For one, IT security is still dominated by its fundamental roots in network security. That's where many of the experts in IT risk management cut their teeth and the need there has been communicated up the executive chain for decades. AppSec risks have been around for a long time, but not that long.
Perhaps what's holding AppSec back the most are a lot of lingering misconceptions about the discipline — ones that naturally arise from security's initial network security bias. Veracode recently published a report on application security myths. Among the myths busted were some enduring ones that still persist as excuses for ignoring application security.
For example, there's the belief that AppSec is financially out of reach for organizations. This logic ignores the costs of lost revenue, incident response, downtime and brand damage that result from not making that investment.
Also, there's the misapprehension that only software vendors really need to worry about application security. This persists in spite of the fact that in this era of the Internet of Things (IoT) and an app-for-everything consumerism, every company is a software company.
And, of course, there's the mistaken trust that people place in firewalls, antivirus products and network security to solve their AppSec woes, in spite of the fact that these do little to protect them from software-related vulnerabilities.
No More Excuses
These are the classic hits of AppSec myths and excuses. But new ones are forming every day as IT starts to shift to a faster and more continuous development lifecycle. Veracode's report touched on this when it tackled the misconception that the security team can't assess applications when developers move away from waterfall development. Security practitioners have to adapt to Agile, not the other way around.
I'll go one step further and say that this applies not just to Agile, but also to its heir apparent, DevOps. The natural evolution from Agile practices in development to the DevOps practices that span the entire IT ecosystem scares a lot of security advocates (see here and here for some typical "the-sky-is-falling" lamentations). But it shouldn't.
So here I am to add a couple more AppSec myths to the junkyard; these are centered firmly on the new mode of continuous delivery that DevOps promotes.
Photo Source: Pexels