AppSec Is Dead, but Software Security Is Alive & Well

There's no denying that an enterprise's application ecosystem must be protected, especially when the average total cost of a breach comes in at $3.62 million. But thwarting increasingly severe and frequent threats requires a holistic approach to security, one that places emphasis on managing not only application vulnerabilities but all software exposure.

In fact, the term "application security" should be removed from an organization's vocabulary and replaced with the broader term "software security." Software serves as the backbone to much of the digital transformation taking place within organizations today, which means it's time for CIOs, security leaders, and DevOps roles to come together and understand that the approach to securing software needs to evolve as well.

Mobile, cloud, the Internet of Things, microservices, and artificial intelligence, for example, have made software more complex. However, the emphasis remains focused on speed over security, disregarding the DevOps process, sometimes entirely. Historically, traditional security approaches have slowed the speed of development by acting as deliberate benchmarks that developers must "check off" in order to resume coding activities.

This alone gives essential security practices a bad reputation within an organization, but it also adds to the misguided stigma that developers are a source of the issue. Suddenly, you have a divided force that opens an enterprise up to software exposure. We see careless oversights and avoidable mistakes being made throughout all stages of the software development life cycle (SDLC). Addressing complex software development and related vulnerabilities requires a shift away from a siloed security approach to one that encompasses software as a whole and integrates it from the start of the SDLC.

Let's review the definitions of software and applications. Software is "organized information in the form of operating systems, utilities, programs, and applications that enable computers to work"; an application is "a program or group of programs designed for end users and written to fulfill a particular purpose of the user." We tend to use the word application as a simple way of talking about user interfaces. But really, the security of an app extends well beyond the UI to include back-end systems and integrations.

Based on the definitions above, the following statements apply:

Today, the complexity of software certainly perpetuates the security problems we're facing. Organizations such as Panera, Facebook, and Lord & Taylor, to name a few, have learned the hard way that vulnerabilities within an application often signal greater software exposure because, at the end of the day, an attack or hack implicates both. And with the one-year anniversary of Equifax mega breach just behind us, it's a stark reminder that we need to understand what's in a software stack. In the case of Equifax, an exploited vulnerability in the popular open source web software Apache Struts led to the compromise of almost 150 million people's personal information. There's much work to be done to improve the state of software security.

These four priorities are a good place to start:

Long gone are the days where organizations could be unprepared for and caught off-guard by compromised data and other cyber-incident damage. Attacks are only going to grow in frequency and complexity, as will software itself. As such, application security must be re-envisioned to support software security. AppSec is dead. Software security is alive and well.

Related Content:

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.