Solution Providers Say Focus On Application, DevOps Security At All-Time High
The latest trend on the rise in the security market has solution providers and vendors making investments to position themselves to help customers secure their applications.
Andrew Howard, CTO of Switzerland-based Kudelski Security, said a growing threat landscape and an expanding application footprint have laid the groundwork for increased demand for web and application security.
"We're absolutely seeing growth in that area," Howard said.
Application security has always been on customers' radar but seems to be moving up the priority list, according to Howard, who added that it is now one of the top five security priorities for most chief information security officers. CISOs are looking to move beyond application security as a compliance checkbox, launching full application security teams and looking to boost their capabilities around securing applications, he said.
That's a trend that wasn't there a year ago, said Jane Wright, principal analyst at Technology Business Research. However, in the past nine months or so, she said the conversation has shifted and customers are looking to invest in application security, particularly around web and email applications. Driving that shift is a rise in ransomware, the move to cloud-based applications and more customization capabilities.
That uptick in application security investment is showing, Wright said. According to TBR research, 17 of the companies covered by the firm have significant application security offerings. Those offerings grew revenue at those companies 19 percent from the second half of 2015 to the second half of 2016, significantly higher than the 11 percent the security market grew overall, she said.
"It is outpacing the market. … It's really picking up," Wright said.
Doug Cahill, senior analyst at Enterprise Strategy Group, said he sees a couple of factors driving the focus on application security. First, he said there is an increased use of Agile software development and DevOps, which is allowing for more conversations around how to streamline security into the development process. That is only accelerated with increased adoption of the cloud, he said.
"I think there's awareness of the fact that we're in an application economy and that code has to be secure. Code is everything, so code has to be secure. … Application security just makes so much sense. … It's fundamentally about moving security upstream," Cahill said.
After the development process, there are more opportunities around application security, including dynamic security testing, virtual patching and web application firewalls, he added.
Vendors are seeing the opportunity, too, with multiple companies making acquisitions in the application security space in recent weeks. New York-based CA Technologies said in early March that it planned to acquire Veracode, a cloud-based secure DevOps platform for securing web, mobile and third-party enterprise applications throughout the software development life cycle, for $614 million.
Okta also said in March that it planned to double down on the application security market, acquiring StormPath to add to its technology portfolio and talent pool around identity authentication, authorization, and user management for web and mobile apps.
Chief Product Officer Eric Berg told CRN that Okta sees companies going through a transformation around software development, looking for alternative ways to accelerate the development of web and mobile applications. Security is increasingly becoming a more critical piece of that conversation, he said, driving application security to be a "healthy business" for the San Francisco-based company.
"We're taking a high-growth business of ours and supercharging it," Berg said.
There are multiple opportunities for solution providers around application security, Kudelski's Howard said. First, he said solution providers can help customers take inventory of their web applications, which he said is a challenge with shadow IT and a constantly changing application footprint in large organizations. CISOs should start with securing their most critical business applications, and then look to secure the rest of the applications in the environment, he said.
The second area of opportunity for solution providers is to help companies test their applications, bringing in an external or internal team for testing and using security tools to test for weaknesses, he said.
Third, companies such as Kudelski can help customers put defensive mechanisms in front of their applications, including web application firewalls and deep packet inspection capabilities, he said. Finally, there is an opportunity to prevent security flaws from happening in the first place, with training and integration of continuous security testing into the DevOps process and after launch, according to Howard.
David Powell, general manager, service provider business, at Santa Barbara, Calif.-based LogicMonitor, said another opportunity he sees for solution providers around application inventory is in what he called "application rationalization," where they look to make more strategic application investments. That includes making more strategic buying decisions, disaggregation of the application stack, investing further in making critical applications run better, and eliminating applications that aren't in use, he said.
Solution providers have a role in helping customers go through the application rationalization process, he said. From a security perspective, that changes the landscape for application security, broadening the threat landscape but allowing for companies to more easily isolate applications and improve identity and access management, according to Powell. This shift demands a different set of skills from application and security professionals, putting more emphasis on automation and orchestration capabilities, he said.