Why Continuous Security is the Next Application Security Movement

Mark Curphey By Mark Curphey
April 17, 2017

Today we launched a new company web site and have changed the way we talk about what we do. This is important because we believe that application security is in the midst of a transformational change. The old model of security was slow, contentious and typically applied as a series of quick fixes at the end of a development cycle or even after shipping. Even in the past this approach was more of a necessary means to an end rather than the ideal. In today’s world of DevOps and Continuous Delivery it is just plain obsolete.

However, the very forces that destroyed the old security model have left behind the keys for a new way forward. By harnessing the power of open source, automation, and collaboration, security can finally become an integrated part of development as opposed to a slow, unwieldy afterthought. Modern application security is about enabling software developers and security engineers to work together at the speed of DevOps. It is about visibility, control and collaboration quite literally as changes are made. Security that is built into the tool chain and allows teams to harness an ever-changing world without introducing risk or impacting delivery. In this new approach there is no negative trade-off between security or velocity. In fact, the opposite is true. As strange as it may sound, if you want to be safer, you need to move faster.

Continuous Security is a movement among leading edge application security engineers. It's the antithesis of old school approaches that mandates written policies that developers never read, boring PowerPoints demonstrating security parlor tricks, or filling in useless threat-model templates in spreadsheets. The Continuous Security movement embraces the reality today that if you want security in a continuous delivery world then automation is king and friction hurts. It acknowledges that everyone is unique and there isn't one size that fits all. It embraces the notion that you have to empower and trust (but verify) developers and that collaboration between security and developers is the only way forward.

In May we will be releasing a blueprint for doing continuous application security and will push the first of a set of open-source tools written in Go to check and lockdown your GitHub and AWS setups.

We think continuous security will help forward thinking people embrace the Continuous Security movement in their application security programs. We have already put a full-time engineer behind the project and plan to increase that support in the future. We know it's going to upset the old guard. After some initial dialog, we intentionally chose not to do this work within an existing community because they are still pushing the same old ideas, creating hundreds of half-finished projects no one needs or maintains and have become saddled with a bureaucratic and political inertia that frankly hasn't moved the needle now in over a decade.

For those of us who have slogged through the failed attempts of the past, these are genuinely optimistic times. It’s a fork in the road where those that get it will thrive and those that don’t will slip back to the shadows. Continuous Security is here. Join the movement.

Mark Curphey

Founder and CEO

Mark Curphey, Vice President, Strategy
Mark Curphey is the Vice President of Strategy at Veracode. Mark is the founder and CEO of SourceClear, a software composition analysis solution designed for DevSecOps, which was acquired by CA Technologies in 2018. In 2001, he founded the Open Web Application Security Project (OWASP), a non-profit organization known for its Top 10 list of Most Critical Web Application Security Risks.
Mark moved to the U.S. in 2000 to join Internet Security Systems (acquired by IBM), and later held roles including director of information security at Charles Schwab, vice president of professional services at Foundstone (acquired by McAfee), and principal group program manager, developer division, at Microsoft.
Born in the UK, Mark received his B.Eng, Mechanical Engineering from the University of Brighton, and his Masters in Information Security from Royal Holloway, University of London. In his spare time, he enjoys traveling, and cycling.