Cloud Wars
  • Home
  • Top 10
  • CW Minute
  • CW Podcast
  • Categories
    • AI and Copilots
    • Innovation & Leadership
    • Cybersecurity
    • Data
  • Member Resources
    • Cloud Wars AI Agent
    • Digital Summits
    • Guidebooks
    • Reports
  • About Us
    • Our Story
    • Tech Analysts
    • Marketing Services
  • Summit NA
  • Dynamics Communities
  • Ask Copilot
Twitter Instagram
  • Summit NA
  • Dynamics Communities
  • AI Copilot Summit NA
  • Ask Cloud Wars
Twitter LinkedIn
Cloud Wars
  • Home
  • Top 10
  • CW Minute
  • CW Podcast
  • Categories
    • AI and CopilotsWelcome to the Acceleration Economy AI Index, a weekly segment where we cover the most important recent news in AI innovation, funding, and solutions in under 10 minutes. Our goal is to get you up to speed – the same speed AI innovation is taking place nowadays – and prepare you for that upcoming customer call, board meeting, or conversation with your colleague.
    • Innovation & Leadership
    • CybersecurityThe practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
    • Data
  • Member Resources
    • Cloud Wars AI Agent
    • Digital Summits
    • Guidebooks
    • Reports
  • About Us
    • Our Story
    • Tech Analysts
    • Marketing Services
    • Login / Register
Cloud Wars
    • Login / Register
Home » Why Application Security Is So Imperative
Cybersecurity

Why Application Security Is So Imperative

Robert WoodBy Robert WoodAugust 16, 2022Updated:August 23, 20224 Mins Read
Facebook Twitter LinkedIn Email
Application Security
Share
Facebook Twitter LinkedIn Email
Acceleration Economy Cybersecurity

Application security continues to increase in relevance and importance. MITRE recently released its list of the most relevant vulnerabilities in 2022, which is dominated by application-tier issues. The security industry has understandably put a lot of emphasis on issues that orbit around application security, for example:

  • Patching/updating, whether it’s servers, containers, or open source libraries.
  • Configuration of developer frameworks, underlying infrastructure, or other related technologies.
  • Identity and access management, how we verify users, authenticate them, and grant them access to the things they need.

The above issues, while important, do not address the custom-written code written by software teams to build products. I’m not referring here to the code consumed by other, third-party software teams (e.g., open source libraries or COTS tools that are packaged up and deployed). This code is, in my experience, where application security activities such as threat modeling, developer training, and static code analysis are instrumental to overall security outcomes.

Application Security Activities

Application security is sometimes conflated with or overly simplified to specific things, such as managing dependencies, pen-testing, or training developers. It includes those things, yes, but it’s a broader set of activities all centered around what it takes to build and operate resilient software. My personal opinions here are colored by my time spent in Cigital, which did nothing but application security, helping its customers across a range of industries build more secure software.

There are several maturity frameworks that discuss the range of activities in more detail and how they scale from initiation to mature capability, including BSIMM and the OWASP OpenSAMM. These models highlight the importance of looking at software from different angles and engaging in different layers of a technology stack.

Threat modeling can find things that penetration testing never will. Static analysis can find things that threat modeling never will. Software composition analysis can find things that security-focused linting never will. This holistic manner of application security activities helps find and manage a more expansive set of risks. More importantly, it reinforces a culture of building and operating secure software.

Solution Space

One of the challenging but simultaneously exciting things in the application security space is the emerging vendor solutions. Alongside this rise in vendor options, there’s a shift from catering to the security team member to building tools that cater to the developer experience while aiming to produce a security outcome. Exciting examples here include Hashicorp and R2C’s Semgrep.

One of the reasons developer experience is so critical in this area is that software is so frequently directly associated with a value center in an organization. Tools that break builds, excessively slow down developer velocity, or break functionality in production environments are quickly stripped out by development teams.

This very real dynamic highlights the imperative for security teams to maintain that enabler focus — the need to be constantly mindful of the fact that security is not the primary mission or goal of the organization or a given team. If security teams can help developers do their jobs more effectively, they will have a much higher likelihood of succeeding. This needs to be front and center for every single tool selection and evaluation happening in this area.

My advice to other security professionals often includes trying to engage developers to be parts of pilots or part of an evaluation team, and aim to create ownership in the decision.

Concluding Thoughts

Application security is not going away anytime soon. If anything, it’s only going to grow in relevance as software eats the world. Security leaders need to be mindful of the range of activities relating to building secure software. There are multiple points at which security can be woven into a development lifecycle.

There are also considerations around the amount of friction manageable within the developer flow. Too much will kill productivity and cause frustration. Done well, though, application security programs can be powerful enabling functions that simultaneously reduce the risk of running insecure software.


Want more cybersecurity insights? Visit the Cybersecurity channel:

Acceleration Economy Cybersecurity

Cybersecurity Featured Post
Share. Facebook Twitter LinkedIn Email
Robert Wood

Robert Wood is an Acceleration Economy Analyst focusing on Cybersecurity. He has led the development of multiple cybersecurity programs from the ground up at startups across the healthcare, cyber security, and digital marketing industries. Between experience with startups and application security consulting he has both leadership and hands on experience across technical domains such as the cloud, containers, DevSecOps, quantitative risk assessments, and more. Robert has a deep interest in the soft skills side of cybersecurity leadership, workforce development, communication and budget and strategy alignment. He is currently a Federal Civilian for an Executive Branch Agency and his views are his own, not representing that of the U.S. Government or any agency.

Related Posts

Microsoft Delivers In-Depth View of Security, Governance Functions in Copilot Control System

June 26, 2025

AI Security: Practical Ways Microsoft Users Can Tap Purview to Lock Down Data in AI Use Cases

June 18, 2025

AI Agent Security: Red Teaming Emerges as Solution to Broad Range of Threat Categories

June 12, 2025

AI Agent & Copilot Podcast: Kyndryl AI Readiness Report Finds People, Orgs Have a Steep Hill to Climb

June 11, 2025
Add A Comment

Comments are closed.

Recent Posts
  • AI Agents, Data Quality, and the Next Era of Software | Tinder on Customers
  • AI Agent & Copilot Podcast: AIS’ Brent Wodicka on Operationalizing AI, the Metrics That Matter
  • Ajay Patel Talks AI Strategy and Enterprise Adoption Trends | Cloud Wars Live
  • Slack API Terms Update Restricts Data Exports and LLM Usage
  • Google Cloud Still World’s Hottest Cloud and AI Vendor; Oracle #2, SAP #3

  • Ask Cloud Wars AI Agent
  • Tech Guidebooks
  • Industry Reports
  • Newsletters

Join Today

Most Popular Guidebooks

Accelerating GenAI Impact: From POC to Production Success

November 1, 2024

ExFlow from SignUp Software: Streamlining Dynamics 365 Finance & Operations and Business Central with AP Automation

September 10, 2024

Delivering on the Promise of Multicloud | How to Realize Multicloud’s Full Potential While Addressing Challenges

July 19, 2024

Zero Trust Network Access | A CISO Guidebook

February 1, 2024

Advertisement
Cloud Wars
Twitter LinkedIn
  • Home
  • About Us
  • Privacy Policy
  • Get In Touch
  • Marketing Services
  • Do not sell my information
© 2025 Cloud Wars.

Type above and press Enter to search. Press Esc to cancel.

  • Login
Forgot Password?
Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.