Let's change the way we AppSec

There are many different ways to "do" application security. Most organizations have a set budget allocated for application security and want to use it to optimize quality and coverage. I recommend evaluating different application security control options according to three key factors: scalability, coverage, and ease of use.

Applications are moving to the cloud, and no longer consist of just a simple HTML page. Today’s web applications are also increasingly API-driven and as an API ‘speaks’ the language of the business, the application requires more business understanding to perform an adequate security test. Security professionals are finding that standard scanning technologies do not understand business logic and must be highly customized in order to be effective.

There’s a new demand for manual penetration testing, and doing a pen test once a year simply isn’t good enough. Today’s requirements for an application security penetration test include cost that will enable higher frequency testing and greater coverage across an application portfolio, access to quality talent who can perform manual testing, and strong integration with development processes in order to get issues fixed.

Some application security folks are very good at finding and facilitating the finding of security bugs and flaws, but it takes a developer to change the code and fix the issues.

Application security professionals must learn about and integrate with existing development processes in order to achieve the primary goals of application security – higher quality, more secure code.