RSA Conference is unquestionably the biggest security event of the year. With so many companies showcasing the latest and greatest in security technology and solutions, it’s very difficult to stand out amongst the crowd. However, in light of recent headlines, it’s evident that securing the software that powers our digital economy will be a major talking point at this year’s show. With that in mind, I want to give a bit of a sneak peek into what attendees can expect from us in terms of new solutions, as well as what topics we’ll be discussing that affect the security industry as a whole.
The notion of “shifting left” has become ubiquitous in the security industry, especially with the advent of DevOps and, further still, DevSecOps. You may have noticed that Veracode has been harping on that notion for some time now – and for good reason. With development cycles becoming shorter and shorter, security that can integrate into the software development lifecycle (SDLC) is the only means to ensure that your code is shipped flaw-free while maintaining speed-to-market. At RSAC 2018, you can expect to see solutions that accommodate the “shift left” movement by finding potential vulnerabilities at the earliest points in development. Veracode Greenlight provides an automated way to find flaws directly in your Eclipse, Visual Studio, or IntelliJ IDE, thereby allowing developers to remediate flaws earlier in the SDLC, keeping remediation costs low compared to what it would cost to fix flaws just before production.
Another big topic we’ll be discussing is the ongoing battle with securing commercial and open source software. Open source software has steadily become the elusive white whale for many security professionals. Though its usage caters to the needs of Agile and DevOps methodologies, there is an element of unknown risk when implementing someone else’s code. At this year’s RSA, we’ll be showcasing our Software Composition Analysis (SCA) solutions to show how you can build third-party risk awareness across your entire development organization. SCA serves a means to catalogue your third-party components and ensure that the most secure versions are implemented across your app portfolio.
In short, applications run our economy. As modern businesses move away from infrastructure, applications that run in the cloud, the web, or on mobile devices bear most of the load of keeping businesses running. Because of this, they are an attractive targets for attackers. With companies deploying new applications every day, the threat landscape continues to grow and demands our attention in making sure that software is built not only with functionality, but with security in mind as well.
With regards to application security, the mantle of responsibility is shifting away from security towards a shared responsibility model with development teams. It’s this cultural change that is a struggle for even the most mature security programs. Conflicting priorities between security and development along with a lack of security training makes it difficult to build a culture of secure coding. However, it’s not all gloom and doom. More IT leaders recognize the need to ship secure code by integrating security checks into the development pipeline; not only that, but the idea that secure code is synonymous with quality code is catching on amongst the development community. There needs to be a continuous effort to build relationships between security and development organizations to ensure that everyone is following a defined process.
There’s a lot going on at RSA but there’s something really special about networking with other professionals working to solve the same problems we are. It doesn’t even have to be within the realm of application security. Sharing war stories with other security professionals, and sharing new ideas is what I enjoy most about returning to RSA each year, and I am excited to return again in 2018.
Here more of my thoughts on RSA and application security in this short video: