AppSec Improves its Seat at the Security Table

AppSec Improves its Seat at the Security Table

Among the typical security arrows in an organization’s quiver, application security – AppSec – has historically seen slow adoption, in part because IT personnel have lacked the skills to deploy it properly.

A study by the 451 Alliance shows that AppSec and coding represent the second-largest IT security skill gap (identified as “inadequately addressed” by 39% of respondents), behind only cloud platform expertise (48%).

Security skill sets: current importance vs. skills inadequately addressed

DevOps enabling AppSec

In his webinar Benchmarking Enterprise Application Security, 451 Research security research director Dan Kennedy explained why AppSec is now hitting the radar screens of larger enterprises. The advent of DevOps, he noted, has helped forge a strong connection among once-disparate IT groups like systems administration and application development. The integration – or at least improved collaboration – of such teams has dramatically improved the design, efficiency, quality and time to market achieved by developers.

Kennedy explained that information security can inject its practices and safeguards into the DevOps process. Among the tools seeing a significant uptrend in adoption is AppSec, with security pros and software developers jointly owning responsibility for its implementation.

“Besides the obvious cost [benefits], correcting security vulnerabilities within the development lifecycle may be the only way to keep up with the velocity of change in modern application development,” he noted.

Application Security Testing in the AppSec Cycle

SDLCs Shifting Left and integration points

The earlier application security testing (AST) can be incorporated into the software development lifecycle (represented in the slide above as “shifting left”), the more efficient (and less costly) the dev process becomes, and the higher the quality of the final product.

“If you’re only testing [software] in production, which is the way we used to do it, you’re likely not keeping up with the philosophy of code change,” Kennedy says.

He went on to note that the shift toward earlier integration of application testing is about the “shared use of AST tools, extending them to developers while satisfying the information security teams’ need to measure both process efficacy and whether vulnerabilities are making it to production.”

With respect to the ownership of AST tools between these two constituencies, the 451 Alliance study shows that, while only 29% of respondents allocated AST deployment to developers four years ago, that figure has grown to 48% today.

Application security tool usage by team

“Developer usage will likely exceed information security team usage in the near future,” Kennedy stated. “It makes sense, since they’re writing the code.”

Kennedy takes a deep dive into other aspects of the AST category in this hour-long webinar. The 451 Alliance webinar series is one of many IT informational resources available to members.


Not a member? See if you qualify.