Backslash AppSec solution targets toxic code flows, threat model automation

Backslash Security has announced its launch with a new cloud-native application security (AppSec) solution designed to identify toxic code flows and automate threat models. The solution is built to address time-consuming and manual methods for discovering and mapping applications code risks, along with filling the cloud-native context gaps left by traditional static application security testing (SAST) tools, Backslash stated.

Organizations are embracing the cloud and cloud-native application development with the percentage of large businesses that deploy code to production daily expected to increase from 5% in 2021 to 70% in 2025, according to IDC research. Meanwhile, AppSec teams face ongoing challenges in keeping pace with their fast-paced development counterparts.

Backslash helps AppSec teams reduce false positive alerts and alert fatigue

The Backslash solution provides AppSec teams with security insights and business context surrounding code risks, tracking the security posture of different applications and teams involved, the vendor said. Through unified visual mapping of threat models and application posture, AppSec teams can reduce false positive alerts and alert fatigue, cutting mean time to recovery (MTTR) by enabling developers with the evidence they need to take ownership of the process, Backslash added. The firm said the solution offers:

• Contextual visibility that empowers AppSec teams with automatic discovery and mapping of cloud-native application code and its dependencies via contextual visual dashboards, without the need to read or understand the underlying code
• Automatic threat model visualization that maps and serves up preferred threat models
• Automatic high-risk code prioritization informed by application cloud posture in production
• Quick-fix remediation that simplifies vulnerability and risk remediation with automated risk identification
• Scale by policy alignment that frees up AppSec teams to set and enforce optimal cloud-native security policies and cutting the time and resources needed to chase code issues

Traditional AppSec methods create friction between developers, security teams

Friction can arise between developers and security teams because traditional AppSec methods are disruptive to cloud-native development, commented Melinda Marks, senior industry analyst at ESG. “Developers need an accurate way to efficiently identify and fix code issues in their workflows without being overwhelmed by alerts or false positives, while security needs a scalable way to manage risk,” she added.

Brian Fielder, general manager, CTO enterprise security at Microsoft, echoed similar sentiments. “AppSec teams are struggling as companies rapidly shift to cloud-based deployment environments, because the traditional solutions just aren’t keeping up.”

Problems are compounded by AppSec tools that produce an excessive number of low-value alerts, leading to an overwhelming amount of noise and security false positives. What’s more, security teams spend upwards of 25 minutes investigating each one and, due to the volume, cost, and time involved, almost a quarter of alerts are simply ignored.

The Backslash solution addresses such challenges by using the properties of the stack and modern development environments to give security teams the context they need to support development as it scales, Marks said.

Tailoring cybersecurity training to developers to tackle risks

Aside from investing in more effective AppSec and developer-focused security technologies, another approach security leaders support is to tailor security awareness training to software developers to help address a lack of cohesion between software development teams and cybersecurity functions. Security awareness training has, for a long time, failed developers, Tiffany Ricks, CEO and founder of automated security and awareness training provider HacWare, previously told CSO. “The tricky thing about security training for developers is it has to be relevant content, at the right time, to promote innovation.”

Legacy, classroom-based approaches don’t engage developers or impart the knowledge required to match the fast-paced threat landscape and dynamic technology fundamentals of the software development lifecycle, whilst 81% of developers have knowingly released vulnerable applications, according to an Immersive Labs report.