The Next Generation of AppSec is Upon Us (Part 1 of 2)
We invite you along with us to explore, clarify and enrich the conversation around shifting security paradigms in an era defined by software and agility.
By Brian Joe (Impart Security) & James Wickett (DryRun Security)
What's this about?
This first of two blogs marks an exciting collaboration between DryRun Security and Impart Security. With founders from both companies coming from Signal Sciences, both teams have a heavy background in AppSec, and we’re exploring the next generation of application security as the cybersecurity landscape shifts (yet again).
In this joint venture we hope to advance the movement of embedding security within software, and transforming it into developer and DevOps-friendly tools. We firmly believe that the future of security lies in its seamless integration with the software that is at the heart of our digital world.
Wave 1: Runtime Defense - Protect Right
Remember the early 2000s? The iPod. Flip phones. Bleach-blonde highlights. Sound familiar? Those were the days. That’s about the time that Application Security became “a thing” and at the same time was significantly transformed by the advent of two vital technology categories: defense and appsec detection. Yes, it was the dawn of the Web Application Firewalls (WAF) and security testing tools such as Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST). We refer to this as the first wave in defense and detection—Wave 1.
Originating as basic network firewalls, WAFs evolved to become a critical line of defense, protecting web applications from common attacks such as cross-site scripting (XSS) and SQL injection.
WAFs, unlike their network firewall counterparts, operate at the application layer of the OSI model, thereby providing more tailored security to web applications. Early on, WAFs were rule-based systems, relying on patterns to detect potential threats.
However, this approach had its limitations, leading to high false positives and negatives, making WAFs a subject of controversy and an almost comical punchline to the common caricature of cybersecurity of the day.
Meanwhile, security testing methodologies like DAST and SAST emerged for identifying security vulnerabilities in software applications. DAST, often referred to as "black box" testing, analyzes applications in their running state, testing them in the same manner as an attacker would. On the other hand, SAST, sometimes called "white box" testing, inspects an application's source code or bytecode for security flaws.
While these testing approaches made it easier and faster detect security issues, they were not without their challenges. For instance, DAST often struggled to identify issues within the source code, while SAST was unable to detect runtime state problems. Both suffered from an overwhelming amount of false positive findings that required security professionals to sort through.
In the 2010s, the technologies further matured, and the cybersecurity community saw an evolution in WAFs and security testing tools. Early days AI and machine learning began to augment these technologies, but they were generally lacking. Wave 1 was still primarily reactive, focusing on finding and fixing vulnerabilities rather than preventing them from occurring in the first place.
Wave 2: Proactive Prevention aka Shift Left
The next decade brought netflix binging; the full-scale, mountain-man (but groomed) beard; and cloud gaming. While beards grew, so did cybersecurity. The second wave of defense and detection swelled—or Wave 2 as we’ll call it. Wave 2 unfurled from 2010 to 2020, encapsulating a transformative decade in the realm of cybersecurity. This period witnessed the remarkable Shift Left and Shift Right movements, the impact of which is still reverberating in today's cyber landscape.
Wave 2 marked a change from security being an isolated concern of security professionals and auditors, to becoming an integral part of development and operations (DevOps) and security teams.
In the midst of this wave, Signal Sciences emerged as a pioneer, significantly shifting the WAF out of the Security Operations Center (SOC) and into the hands of DevOps and sometimes even developers.
The company introduced Next-Gen WAF, which not only protected applications from attacks but also integrated effortlessly with the existing DevOps toolchain.
This innovative approach ensured real-time visibility, scalable protection, and superior ease of use, making security an integral part of the development process rather than an afterthought.
Such a shift was instrumental in fostering a culture of shared responsibility for security, contributing to the rise of the DevSecOps movement.
Meanwhile, security testing tools underwent a notable evolution as well. Traditionally, these tools were primarily in the purview of auditors. However, in Wave 2, they began to be extensively used by security teams and bug bounty programs.
This brought security testing into the everyday fold of software development, enabling teams to proactively discover and address vulnerabilities. Such democratization of security testing paved the way for a more holistic and effective approach to application security, strengthening the overall defense mechanisms against the escalating threat landscape.
Wave 2 was an era of enlightenment in the world of cyber defense, bringing about an increased awareness of the importance of integrating security measures with software development and operational processes.
This shift towards an inclusive, shared responsibility for security set the stage for the next evolution in the security landscape, leading us into Wave 3, which we're excited to explore with you in our subsequent post. We’ll delve into the rise of automated security measures and the dawn of a new age in proactive defense and detection. Much better for you than Netflix binging and just as satisfying!
We’ll link to it here once it’s released, but part two will be released at dryrun.security/blog
To stay up-to-date on happenings with Impart Security and DryRun Security, follow us on Linkedin: