When I was working at @stake in the early 2000s, most of my client engagements were in application security. I did a number of code reviews that involved people handing me stacks of paper to go through. “Grep” was an important security tool. When I was involved in application penetration tests, we used a combination of freely available utilities, homegrown tools, and manual effort.
I went down this memory lane trip because I woke up to a post from my Forrester colleague David Holmes that reminded me how much security has changed over the last two decades. Referencing my recently published Forrester Tech Tide™ for application security, David commented, “I was a coder for 25 years. When I started we didn’t have all these fancy appsec tools and also get off my lawn!”
So, yes, application security has evolved quite a bit since then (and also, get off David’s lawn!). In “Forrester Tech Tide: Application Security, Q4 2020,” I analyzed the maturity and business value of the 20 technology categories in the application security space. Note that 20 is not an exhaustive list of every application security technology out there, but editorial constraint and common sense require that I focus on the technologies the market cares about most and are most closely tied to common application security use cases.
So, how should security pros use the Tech Tide?
- Know what’s out there. In the last few months, I’ve had a few conversations with end users in which I mention a particular application security technology (say, software composition analysis), and the person responds that they had heard of it but had forgotten about it. With so much happening in your day-to-day security life, it’s easy to lose track. Use the Tech Tide to understand the range of application security technologies available to you.
- Review your investments and prioritize spend. Both your security team and your organization’s security requirements have likely changed in the last few years — even in the last few months! Now is the time to look at the application security technologies that you’ve invested in and see if they still make sense. Are you spending too much on technologies that don’t provide enough value? If you no longer have enough people to manage a particular technology, should you divest, or should you find more people? Are you underinvesting in critical areas?
- Focus security innovation. Pick one or two application security technologies that address emerging security needs in your organization, and start trying them. If you know your organization will start developing serverless applications next year, investigate serverless security options. If you’ve been wondering how client-side security tools can improve your security posture, try them out on a couple of applications. Remember that for early-stage technologies, you can have outsized influence on product direction, so make sure to share feedback with your vendors. And don’t forget to include your developers in the testing, too!
Check out the full report to see my analysis of 20 application security technologies: their maturity, key use cases, challenges, and where they add value.