In this week’s episode of the podcast (#168), sponsored by Signal Sciences, Chris Eng of Veracode joins us to talk about the 10th annual State of Software Security Report and the problem of application security debt. Also, Brendon Macaraeg of Signal Sciences talks about the expanding landscape of web application attacks and defenses.
Ten Years On: Application Security Debt is growing
If you want a good measure of the growth in the web application space, you might look to Veracode’s annual State of Software Security report, which has taken the measure of that company’s application vulnerability scanning activity each year (more or less) for the last decade.
The report covered a little more than 1,500 applications in its first year. In its tenth iteration, Veracode compiled data from scans of more than 85,000 applications.
Despite the greater volume, however, you could be forgiven for confusing the tenth SOSS with the first: most of the vulnerabilities encountered in application scans are more or less the same as a decade ago. And it seems that companies haven’t made much progress in addressing vulnerabilities in a timely fashion. The result: mountains of security debt is piling up in enterprises as application security vulnerabilities are left unaddressed even as new vulnerabilities are created on top of them.
In our first segment, we speak with Chris Eng, the Chief Research Officer at Veracode, about why companies still struggle to address application security, how security debt accumulates and what organizations can do to get it off their books.
Securing Web Applications in the Age of the IoT
As more and more businesses migrate legacy applications to the cloud, while adopting a cloud-first strategy for new initiatives, Web application security has moved from the periphery to the center of enterprise IT concerns. In our second segment, we’re joined by Brendon Macaraeg of the firm Signal Sciences* to talk about the expanding landscape of web application threats. Web application security is about more than spotting vulnerabilities in code. Once those applications are deployed they need to be defended against all manner of attacks. That’s where our next guest comes in.
Brendon Macaraeg is the Senior Director of Product Marketing at Signal Sciences, a next generation Web Application Firewall and RASP (runtime application self protection) technology.
In this conversation, Brendon and I talk about the changing landscape of web application protection including the growing risks posed by insecure web application APIs – application program interfaces- and how growth in the Internet of Things is compounding web application security risk.
(*) Disclosure: This podcast was sponsored by Signal Sciences. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.