This RSA session was actually two separate presentations dealing with the misconceptions in the security industry. The first, by Richard Stiennon, chief research analyst at IT-Harvest, focused on some of the misconceptions in the industry and used data from his analyst research to demonstrate why these beliefs are not true. The second part was given by Gary McGraw, CTO Citigal, and dealt with the misconceptions around security and DevOps. You can get both presentations here: https://www.rsaconference.com/events/us16/agenda/sessions/2504/myth-busting-the-security-landscape-and-development
Richard first pointed out that the industry consolidation that everyone talks about is just not true. He points out there are 934 network, endpoint, data, IAM, and GRC security companies that he knows of today. Yes, there are acquisitions, but if there were truly a consolidation, each of these areas would have a few big players and maybe a few small outliers left. The reason we don’t see consolidation, he explained, is because the biggest companies can’t predict what is going to happen next in this market. It is just changing too fast. So the seed money goes to the little startups, which innovate and then get bought up. But there will always be startups, and many of them will remain independent.
Richard also claims that the growth rate cited by Gartner (4.7%) is woefully underestimating the market. Richard predicts the overall security market will grow at about 24% or more and that it will grow to be a $640 billion market by 2023.
With that kind of growth, no wonder there were 40,000 people at RSA and over 300 exhibitors!
Gary’s portion of the presentation listed the seven myths of security and development. As I’d already attended several DevOps-related talks this week – one of which included Gary – I had already heard many of these points, but the seven myths were:
- Perimeter security works – there is no such thing as the perimeter anymore!
- A security tool will fix all your problems – tools find problems, but you still need a way to fix them.
- Penetration tests are perfect – pen testers are human, bound by project scope limitations and, well, sometimes they don’t report everything they find.
- Cryptography is magic – developers are taught to add features, so when they have to add in security, they think of it as a feature rather than a quality issue. If left to their own devices, they will add in encryption as a feature, but it isn’t enough.
- Fixing bugs is enough to be secure – you can find bugs with SAST, and then have a plan for fixing them, but that doesn’t address overall design flaws. That is why security needs to be part of the entire software lifecycle from design to production.
- Security is the developers’ problem – if only that were true. Developers aren’t trained security professionals so they do not have the knowledge to tackle this problem on their own. The only way for this to work is to have a software security group working with the development team to create a system that doesn’t interrupt the development lifecycle.
- I only have to focus on high-risk apps - that may have been the case in the past, but that isn’t true any longer. We need to raise our expectations because cybercriminals will attack any application, business-critical or not.
We came up with own set of AppSec Fallacies as well. You can view the pdf here.