AppSec Timeline: Wins, Failures, Promises, and Predictions

The main idea of the conference presentation is that traditional application security technologies are not sufficient for modern DevSecOps requirements and that specially designed technologies are needed to enable DevSecOps.

• Technology is the basis for culture, not the other way around
• Existing traditional security technologies are not designed for DevSecOps and cannot fulfill modern requirements
• Automation of specially designed technologies is necessary for DevSecOps
• DevSecOps technologies should be built for the DevOps community and be application architecture agnostic
• DevSecOps technologies should be fully automated and provide insight into tested application behavior
• Adopting technology specifically built for DevSecOps is necessary for success

The speaker gave an example of how traditional security technologies, such as AST and DAST, are too slow and produce too many false positives and negatives because they have no insight into application behavior. He emphasized the need for sharpshooting rather than carpet bombing when searching for vulnerabilities.

Abstract:​On its 20th anniversary, the AppSec marketspace can boast an impressive, multi-billion-dollar size. Yet after 20 years, other security markets, such as Network Security, are much larger. On one hand, DevSecOps signifies a broad adoption of AppSec. Yet on the other hand, the stubborn statistics show that percentage of critical vulnerabilities in our applications is pretty much the same as 20 years ago. AppSec history has been anything but a triumph. Are we on the path to triumph now? What trends give us clues to the future of AppSec? In this presentation, we will review wins and failures of AppSec over the last 20 years, analyze their causes and consequences, inspect promises, and set up predictions for the years to come.​​​