software application

Episode 168: Application Security Debt is growing. Also: Web App Security in the Age of IoT

In this week’s episode of the podcast (#168), sponsored by Signal Sciences, Chris Eng of Veracode joins us to talk about the 10th annual State of Software Security Report and the problem of application security debt. Also, Brendon Macaraeg of Signal Sciences talks about the expanding landscape of web application attacks and defenses.

Ten Years On: Application Security Debt is growing

If you want a good measure of the growth in the web application space, you might look to Veracode’s annual State of Software Security report, which has taken the measure of that company’s application vulnerability scanning activity each year (more or less) for the last decade.

Chris Eng Chief Research Officer at Veracode
Chris Eng is the Chief Research Officer at Veracode

The report covered a little more than 1,500 applications in its first year. In its tenth iteration, Veracode compiled data from scans of more than 85,000 applications. 

Despite the greater volume, however, you could be forgiven for confusing the tenth SOSS with the first: most of the  vulnerabilities encountered in application scans are more or less the same as a decade ago. And it seems that companies haven’t made much progress in addressing vulnerabilities in a timely fashion. The result: mountains of security debt is piling up in enterprises as application security vulnerabilities are left unaddressed even as new vulnerabilities are created on top of them.

In our first segment, we speak with Chris Eng, the Chief Research Officer at Veracode, about why companies still  struggle to address application security, how security debt accumulates and what organizations can do to get it off their books. 

Opinion: Better Code Won’t Save Developers in the Short Run

Securing Web Applications in the Age of the IoT

As more and more businesses migrate legacy applications to the cloud, while adopting a cloud-first strategy for new initiatives, Web application security has moved from the periphery to the center of enterprise IT concerns. In our second segment, we’re joined by Brendon Macaraeg of the firm Signal Sciences* to talk about the expanding landscape of web application threats. Web application security is about more than spotting vulnerabilities in code. Once those applications are deployed they need to be defended against all manner of attacks. That’s where our next guest comes in.

Brendon Macaraeg is a Senior Director of Product Marketing at the firm Signal Sciences. 

Brendon Macaraeg is the Senior Director of Product Marketing at Signal Sciences, a next generation Web Application Firewall and RASP (runtime application self protection) technology.

In this conversation, Brendon and I talk about the changing landscape of web application protection including the growing risks posed by insecure web application APIs – application program interfaces- and how growth in the Internet of Things is compounding web application security risk. 

(*) Disclosure: This podcast was sponsored by Signal Sciences. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to to get notified whenever a new podcast is posted.