Live From RSAC: Is Digital Transformation Making AppSec Headless?

Chris Wysopal, Veracode Co-Founder and CTO, recently sat down with Tom Field, ISMG Senior Vice President of Editorial, for an executive interview at the RSA Conference 2021 to discuss if digital transformations are making application security (AppSec) “headless.”

Headless AppSec is an interesting concept. AppSec was traditionally part of the security role. But, as companies become increasingly digital, it’s too time-consuming for developers to hand off AppSec scans to security. To combat the hand-off, companies have been moving AppSec scans to the development role. But without the right processes in place and without security knowledge, AppSec scans can be just as laborious in the development phase. The ultimate goal is to make security “headless” or managed as part of code instead of a separate task.

The pandemic is definitely expediating this shift to headless AppSec. As Wysopal stated, “There’s no doubt that Covid-19 has accelerated all the things that companies were doing anyway, but on a much longer path.” Many companies were in the process of a digital transformation but – when the pandemic hit – they realized that in order to be competitive in the market, they needed to ramp up their shift to digital and move to the cloud for more flexibility.

The pandemic has also caused organizations to change the way that they’re building software. The market is more competitive than ever. So, to keep up, organizations need to iterate quickly and go to market faster. In fact, many organizations are coming up with a new feature in a day and going to production in a day.  

But this speed is proving the need for headless AppSec. You can no longer have different teams building code, testing code, etc. You need to automate these processes and have them handled by one team. Ideally, the developers should be able to not only write code but also diagnose bugs and put fixes in place.  For example, infrastructure itself is becoming very dynamic and programable. Consider the rise of microservices, container security, and Kubernetes. It’s pushing all the things operations used to do into code so that developers can control it. 

Development and operations aren’t the only two functions that should be on the same team, security should be as well. Security tools should be put in the developer pipeline so they can remediate flaws without having to connect with security personnel.

Wysopal advocates for a security champions program to help train interested developers in security best practices. These developers can act as the voice of security on their scrum teams, eliminating the need for a security hand-off. And all security tools should be automated into the developers existing tools and processes so that they don’t have to spend additional time conducting AppSec scans.

This automation could open the door to machine learning and artificial intelligence. Machine learning thrives off data sets from automation. It can evaluate scan data and code that was previously remediated to come up with rules for auto-remediation. If AppSec scans are automated and remediation is automated, that would be the ultimate form of headless AppSec. According to Wysopal, auto-remediation is a very real possibility and we should be seeing it by the end of the year.

For more updates on the RSA Conference 2021, check out the Veracode Blog, daily.