Solving a cross community challenge like application security

This week, the GISEC conference kicked off in the Dubai World Trade Center, marking the start of the global information security conference season across the Middle East and Africa and setting the scene for its USA-based contemporaries, the RSA conference in San Francisco (May 2024) and Black Hat Las Vegas (August 2024).

As is typical for these events, GISEC hosted a large number of world-class speakers from the security leadership community, with a heavy emphasis on those in executive leadership roles such as CISOs. These talks outlined the continuing challenges faced by our organization when it comes to securing our critical infrastructure, assets, and information.

As you walked the expansive trade show that accompanied the event, it was clear that a contradiction was at the heart of our industry.

The missing information security domain

Application security (or product security as it is now being referred to in some circles) was barely a whisper in the lineup. On the tradeshow floor, most application security solutions were focused on software supply chain security or variations on web application firewalls.

Other than the expected talks on the challenges of AI in an organizational security context, there was almost no discussion about the challenges of securing our software. More established aspects of our information security programs, such as governance, risk and compliance, and border security continue to dominate our attention. 

This is ironic.

The problem is the solution.

Much like the mythical serpant from Ancient Greek mythology, we may be faced with a circular issue.

• The trade show solutions to these issues are almost exclusively software platforms.

• The conference and tradeshow themselves run on a complex set of software tools built by a range of global organizations.

• The attendees happily and enthusiastically communicate with each other and networked using a range of social platforms - all again software.

If the solution to our security issues is a software platform, then surely those security software platforms must have conquered our approach to securing our software, right?

Not quite.

We don’t see our security vendors as software companies. 

Most likely a hangover from 20 years ago, when a tradeshow floor would have been dominated by physical edge devices and networking security solutions, we still separate our security vendors from the rest of their community and from the expectations we place on software companies (including our own software teams).

They don’t tell us how they build secure software, and quite frankly, we don’t ask.

(Note: I don’t mean sending security questionnaires, we all know that’s rubbish. I mean a real, transparent conversation about processes and approaches).

Two decades of change for little outcome

If the cause of our security issues is now very commonly software and the solution to solving them is also software, then indeed, we have an unavoidable need to speak more openly about why, after 20 years of talking about common software vulnerabilities (OWASP top 10) and ten years of talking about shifting left (DevSecOps and Agile Application Security), we are still seeing the same challenges and issues.

We still don’t see the software community attend our security events.

We don’t see the security community attend our software events.

We need to see much more collaboration across these two diverse and often conflicting aspects of our organization, even though software is responsible for both our organizational successes and efficiencies and the fastest-growing risks posed to our people, data, and systems.

So what can we do?

As someone who leads a software product company in this space, I clearly have a conflict of interest; however, neither I, nor SafeStack are the solutions to this.

The solution is much more complicated than buying a tool and reading a book.

We need both sets of expertise and this collaboration to start now. 

We must also acknowledge that almost all companies are now software companies, our own and those we buy from or integrate with. This means having a much more open dialog about what we are practically doing to solve application security issues, improving collaboration and engagement with our development teams, and what challenges remain. 

(Spoilers: I believe there are many and that we haven’t really scratched the surface when it comes to solutions, either product-based or process-led.)

We desperately need collaboration and diversity of leadership.

We have several incredible non-profit organizations on both sides of the equation that care deeply about creating high quality, secure software. However, they need to work together and ensure that their membership (and leadership) is diverse and includes practitioners from the software engineering and security communities. 

Only then will the solutions and guidance be fit for purpose, all the relevant challenges in this space be considered, and most importantly, the right people will be reached to make measurable change.

These organizations include but are not limited to OWASP, OpenSSF, the Secure Software Project (coming soon?) , and many more.

Start by taking a step outside of your community and comfort zone

For now, all we can do is approach this conference season with a degree of scrutiny. To identify the unspoken conversations and the missing voices in the room. If you are primarily in the security space, look for your development peers. For those in the software community, find your application security practitioners - the people working on hard problems, just like you but from another angle.

If we each make one connection across the divide this year then perhaps, we might finally start talking about (and addressing) the security challenges of our amazing software led future.

We cannot hope to secure a software-led future for our societies and organizations while our builders and defenders remain separated. I only hope we can find a way to bring them together soon.