A crucial fish in a critical pond
Stepping into the Moscone Center on June 6th with the Invicti team, I was immediately brought back in time as it was my 17th visit there. It was great to be back in person, and I had forgotten about the scale of the RSA Conference and how the cybersecurity industry has changed over the many years. There are now hundreds of companies across every possible segment, and there’s no telling what that growth will look like in the future.
As part of a trifecta of must-haves in cyber, which includes securing data, access, and apps, web application security has gone from a niche to a vital part not only of web security but of web development and operations in general. Standing there among vendors big and small, talking to customers and prospects, Invicti was positioned in the right place at the right time – and with the right solution to real-world application security challenges.
The biggest change we saw? People are now asking us how they can manage application security better, not why they should do it at all or what makes it so critical. It’s the new normal: companies are ramping up and streamlining their AppSec efforts and gaining awareness of just how critical it is to test and secure web applications, as evidenced by constant crowd activity at the Invicti booth.
Infusing security into application architecture and development
Across the dozens of sessions (including several with our own Sonali Shah) and hundreds of customer stories, we could see a few main themes resurfacing over and over again. Zero trust was a major big-picture topic, highlighting the importance of security at every level of application development and operations. Organizations are realizing that, like performance and reliability, security isn’t a button you can press or a service you can order – it depends on decisions all across the development lifecycle, starting from application design and ending with production deployments.
With last year’s CISA mandates for strengthening government cybersecurity, federal agencies are now obliged to follow zero trust principles when designing, implementing, and operating their infrastructure to reduce implicit trust between systems. Making this happen in practice is a huge undertaking for any organization and requires careful strategy. During their session “Inside the Making of a Zero Trust Architecture,” Alper Kerman and Scott Rose from the National Institute of Standards and Technology (NIST) discussed such efforts from an ongoing demonstration project with the National Cybersecurity Center of Excellence (NCCoE). The project is a testbed for an agile approach to implementing zero trust deployments and, once complete, will allow NIST to deliver guidelines for organizations moving towards a more mature zero trust architecture.
Web applications are a crucial part of today’s software landscape, and when talking to customers at the Invicti booth, we learned many of their AppSec concerns overlap with zero trust principles. As an example, Invicti’s web asset discovery and technology detection features tie in directly with zero trust requirements for resource and component identification. Echoing earlier sentiments, it was a thrill to have conversations at RSA that we could segue with, “We already have that, we’ve been improving it for years, and it’s exactly what you’re asking for.”
Security is everyone’s job
We brought the bold tagline, “DevSecOps done right,” to RSA 2022 because Invicti offers a pathway to making security an inherent part of web development and operations. We’ve been talking for a long time about using dynamic application security testing (DAST) to shift left into development but also shift right into production. As AppSec awareness grows – especially in the enterprise space where every company now develops some or all of their own applications – organizations are looking for ways to implement security testing earlier, cheaper, and more efficiently.
But this work belongs to us all, regardless of job title. A common thread at this year’s RSA conference was the notion that security is everyone’s job. Development teams can no longer assume that their security counterparts have it covered; security testing needs to be baked into workflows old and new, automated across all phases of the SDLC, and made a common responsibility. Earlier this month, Invicti’s Chief Product Officer, Sonali Shah, participated in a video interview on DevSecOps with Information Security Media Group, where she discussed exactly that challenge: how to reconcile the pressure to innovate with the requirement to deliver secure software.
Echoing many of these points, Dell’s Sam Sehgal presented a fascinating session titled “Security Automation for DevOps at the Scale of Dell: A Real-Life Case Study.” He discussed some of the pain points that his team used to struggle with, including long cycles for DevOps feedback, security scan results that were difficult to consume, and false positives impeding agility. A vital part of the solution was to literally act as one team every day, making security an inherent part of the DevOps workflow – right down to everyone working with a common backlog of issues. That way, security is part of everyone’s job, not an external process that interferes with daily development.
Application security is never done and dusted
A third noteworthy theme that overarched RSA was the idea of making security continuous. For application security, this means scheduling automated testing to ensure you’re not exposed to new threats while also meshing with development to secure everything before it goes into production. And with automation now a part of everyday life (not to mention everyday development), automating security testing is the natural next step to maintaining coverage across time and workflows.
The business risk and costs of application security are a crucial part of the cybersecurity conversation as security leaders struggle to maintain and expand budgets while also demonstrating the value these activities bring to the organization. Verizon’s Chris Novak touched on this and other important trends in his session “Cybersecurity as a Business Conversation.” Stressing the rising cost of cybercrime breaches and attacks (a 13% increase year-over-year), he pointed to visibility and threat intelligence as key enablers of an agile cybersecurity strategy. Combined with modern and up-to-date tooling, knowing your realistic attack surface while also being aware of emerging threats helps both minimize risk and show value to decision-makers in the C-suite or at the board level.
Looking at this through the Invicti lens, our customer conversations confirmed the importance of Invicti’s test coverage, going from discovery and crawling to in-depth vulnerability testing and finally on to clear reports, all joined together by automation and integration. Companies know they need to automate their application security, so now the only question is how to do this efficiently and accurately. For me, the most satisfying part of being at RSA Conference 2022 was hearing how Invicti is already helping customers solve that conundrum.
We automate what we can – so you can do what you do best
As my mind occasionally drifted over the course of an exhilarating and jam-packed four days, watching security professionals taking on the Rube-Goldberg-inspired mechanical vulnerability machines at our booth brought me back down to earth with the reminder of just how critical the human element of AppSec is. We had technical specialists focusing fully on problem-solving, this time using mechanical wheels and levers rather than debuggers – and having fun in the process. It really drove home the message that the way to get results and satisfaction is to cut out the noise and let humans be the natural problem solvers they are.
Thank you, everyone, for an unforgettable RSA Conference 2022 – and see you next year.