Note to the CISO: Part 3 – The Future of Application Security


Last week we wrote about Contextually Aware Security, where we discussed moving beyond the challenges with static application analysis, and into contextually aware analysis. This type of analysis and testing focuses on what happens in ‘The Wild’, with the focus shifting from one-time static analysis towards continuous analysis. This is where the rubber meets the road for application security, and understanding your true risk posture can only be done by looking at the full picture.

In this post we’ll expand on our concept of CAST – Contextually Aware Security Testing, and discuss where we think security is going.

The New Continuous Nature of Security

The past five years has seen a surge in what the market calls ‘DevOps’, and with it the always-on and continuous nature of both software development and deployment. In order to keep up with the market demands and operate successfully in a world where Software-as-a-Service runs a good portion of our daily lives, it’s important that software can go from the hands of a developer to the screen of a user in record time.

Not unlike the changes in continuous software deployment, application security also needs to change its game. It needs to move beyond static or one-time analysis which doesn’t take into account the thousands of shifting variables that exist in real world. It also needs to understand the relationships in between those variables, and what the resultant risk posture is.

It should be noted that the resultant risk of any given application is actually different for each organization (and perhaps even different for individual apps within the org), making any specific ‘security test’ tough to both deploy or enforce across every organization. But as we follow the thread of Continuous Security and weave that together with Contextually Aware Security, we believe you end up with the best chance we’ve got to protect your organization from threats.

CAST – Contextually Aware Security Testing Continued

Here’s the CAST overview in a nutshell:

CAST - The Wild.png

The concept of CAST is to move beyond what happens behind closed doors and ensure we capture the full picture by monitoring everything that’s going on in ‘the wild’. That includes everything from the validity of certificates, to the type of network calls, to the status of known threats (such as CVE’s). This takes much more than looking at an application in isolation or doing any given test only once.

Contextually Aware Security Testing aligns with the reality of continuous security that recent cyber threats have thrust us into. It requires truly understanding every asset that makes up an application and how real-world changes to those assets impact the overall risk posture. Executing a CAST model successfully requires contextually understanding applications, including their direct and indirect threat vectors, and the ability to continuously test and adapt risk scoring to better inform decision makers and incident response activity.

The Future of Application Security: CAST and Dynamic Risk Disposition

Being able to truly understand the contextually relevant risk for applications is the first half of what we see as the future of application security. The second half is about mapping that risk in a logical and unique way to each individual organization. We call this mapping a Dynamic Risk Disposition.

Dynamic Risk Disposition is just a fancy term for allowing organizations to change the weight of various risks as it pertains to them. For example, a financial institution is going to weigh the risk of insecure communications much higher than a game studio, who might in turn rate code theft as their highest threat. The point is, it isn’t up to the security companies to decide.

While we can offer a suggested risk disposition based on our experience in the marketplace, ultimately the customer needs to dynamically customize how they perceive risk in their own environment.

As we look to the next decade, we believe the future for application security will be one that is contextually aware of everything that is happening in the wild, in a continuous fashion, and that organizations will be able to dynamically set the relevance of certain risks in a way that makes sense for their business, regulatory requirements or shareholder value.

Where To Go Next?

Read Part 1 of the Series: The Evolving Application Security Landscape

Read Part 2 of the Series: Contextually Aware Security Analysis is Here

Contact us to see a demonstration of the RECON Platform

Watch an overview of the Mi3 Security Portfolio