Report Card: Incite #10 - Built to Last (Securely)

As application security functions are further integrated into UTM platforms in 2006, focus shifts to actually building software securely. The high tech vertical will lead the way in embracing behavioral changes for developers, source code analysis tools, and techniques to protect data at rest. New Web 2.0, SOA and on-demand application architectures with better security models increase in importance.

Grade: C-

Original Days of Incite post: here
Incite Redux post: here

Ouch! What’s the lesson learned from this Incite in 2006? Never minimize the willingness of developers to keep doing what they were doing, even if it’s the wrong thing to do. The secure source code analysis players did announce some high profile reference accounts, but not enough to say this market happened in any way, shape or form in 2006.

Given my strong belief that Mr. Market is right over time, I don’t think counting on developers to get it right is a good plan. So where does that leave customers? Same place we were at the beginning of 2006, focused on doing what we can. You know, taking responsibility for things that are within our control.

We did see an increasing interest in web application scanners, which is happening in the nick of time. Given the path of least resistance to compromise a network is now through the web applications, doing a scan before setting an application loose on the world is a good thing.

But as Jeremiah Grossman points out in this tremendous post (here), we have a bit of a scaling issue relative to the expertise required to assess all of these applications. There is no way there will be enough qualified folks to test all the applications that need to be tested. So that means YOU (yes, I’m pointing at you) need to get a lot smarter on Web application security in 2007.

One part of the Incite that was dead on is the focus on protecting data at rest. If you read between the lines of the big EMC/RSA deal, you get to the conclusion pretty fast that securing all that data stored on EMC spindles was a key driver for the $2.1 BIG (as in Billion) they spent. Look for continued interest in this space (including database monitoring) for quite a while.

Finally, Web 2.0 and SOA hit their strides in 2006, but the security implications are largely unknown. Everyone acknowledges that these new application architectures are fundamentally different and will require fundamentally different approaches to secure these applications. Beyond that, there is precious little consensus on what the answer is.

In 2006 we asked the right questions about application security. Our task in 2007 is to start moving towards the answers because the state of application security is not where it needs to be. Not by a long shot.