RECAP FROM LAST WEEK

Last week we wrote about Contextually Aware Security, where we discussed moving beyond the challenges with static application analysis, and into contextually aware analysis. This type of analysis and testing focuses on what happens in ‘The Wild’, with the focus shifting from one-time static analysis towards continuous analysis. This is where the rubber meets the road for application security, and understanding your true risk posture can only be done by looking at the full picture.

In this post we’ll expand on our concept of CAST – Contextually Aware Security Testing, and discuss where we think security is going.

The New Continuous Nature of Security

The past five years has seen a surge in what the market calls ‘DevOps’, and with it the always-on and continuous nature of both software development and deployment. In order to keep up with the market demands and operate successfully in a world where Software-as-a-Service runs a good portion of our daily lives, it’s important that software can go from the hands of a developer to the screen of a user in record time.

Not unlike the changes in continuous software deployment, application security also needs to change its game. It needs to move beyond static or one-time analysis which doesn’t take into account the thousands of shifting variables that exist in real world. It also needs to understand the relationships in between those variables, and what the resultant risk posture is.

It should be noted that the resultant risk of any given application is actually different for each organization (and perhaps even different for individual apps within the org), making any specific ‘security test’ tough to both deploy or enforce across every organization. But as we follow the thread of Continuous Security and weave that together with Contextually Aware Security, we believe you end up with the best chance we’ve got to protect your organization from threats.

CAST – Contextually Aware Security Testing Continued

Here’s the CAST overview in a nutshell: