Any trip to a Gartner Summit is equal parts seeking wisdom from the Oracle at Delphi, and “Hang on, it’s going to be a bumpy ride!” The 2016 Security & Risk Management Summit offered a few “OMG!” moments along with a sprinkling of hope that newer technologies are on the verge of broader market acceptance.
Major presentations focused on application security including a “State of the Union” overview and a look ahead to what Gartner sees happening through 2020 in the AppSec world. I walked away with the thought that there was little new – a view that even the Gartner presenters shared – but there has been definite progress in key areas with more on the horizon. Let’s look at three key takeaways that we’ll dig into deeper in future posts.
There’s no way to sugar coat this: Through 2020, 99% of successful exploits will involve vulnerabilities known for at least one year. The corollary to this stat is the length of time before an attack is discovered: now an average of 265 days before discovery and another 82 days before an attack is contained. That’s enough to make even the most jaded security pro want to hide under their desk. But, there is good news…
Traditional approaches to AppSec are giving way to newer approaches on an accelerated basis. Gartner singled outRuntime Application Self-Protection (RASP) and Cloud Access Security Brokers (CASB) as two approaches that address many of the barriers to adding more effective protection – at scale – without adding to the workload of already overloaded staff or slowing app performance. Much of the improvement will come with more automation and AI being used in all parts of the application security lifecycle .
RASP is nearing the tipping point. By 2020, 40% of AppSec will be delivered by RASP and related technologies. RASP can solve some of the thorniest issues facing business – protection from known and unknown vulnerabilities (especially in third-party code), protection for out-of-date software (think of how many legacy Java-based apps you have), and virtual patching of entire app estates without taking the apps out of production – freeing staff time to focus on higher value activities. In other words, an ROI that will get the attention of everyone in the food chain.
One final tidbit from Gartner: The Civil War continues to rage between technologists who think “writing better code” is the answer and devotees of new protection approaches like RASP. However, Gartner presenters used anecdotes from leading (but unidentified) businesses that are now using virtual patching as a permanent fix for low risk apps and vulnerabilities.
That makes good business sense and it ensures these emerging approaches will become an important part of comprehensive application security programs.