Cybercriminals aim to obtain valuable information in every way possible. Their attack vectors no longer only include sophisticated social engineering methods but they also focus on detecting and exploiting found vulnerabilities within various applications.
While people can protect their private information online with a VPN, companies developing apps should ensure safety in the first place. However, this is quite challenging as it often comes to the point of a trade-off between security and agility.
For this reason, we've had a chat with the Founder and CEO at Wabbi – a company that offers a continuous Security, development & integration platform, Brittany Greenfield, about how developers can improve their application security without any sacrifices.
What has your journey been like? How did the idea of Wabbi come about?
Wabbi was founded at a time when the industry was focused on how to fit the tools into the Software Development Life Cycle (SDLC), whether shifting them left, speeding them up, or shoving them in the middle of DevOps, which created the DevSecOps hairball. Instead, Wabbi focused on how to orchestrate and assimilate security processes into development. So, educated and automated decisions could be made about security the same way they are made about other development components – the tools are merely one aspect of this process. As the world of application security expands beyond the lines of code, focusing on the process is the only way to ensure that secure code can be shipped repeatedly and reliably without sacrificing agility.
Can you introduce us to your Continuous Security platform? What are the main challenges you help navigate?
Organizations implement (or strive to) a CI/CD for that word continuous – the ability to continuously adapt and meet the most current needs of the business, while always being ready to ship code. This is where Wabbi’s Continuous Security platform comes in: ensuring code is always ready to ship in line with the most current application-specific security standards. To accomplish this, current solutions require a trade-off between security and agility. However, by orchestrating each enterprise's unique application security program, Wabbi enables security teams to capture centralized and automated governance. At the same time, development teams are empowered to manage security as part of their day-to-day workflows, unifying processes between development, security, and operations teams. Both security and software are living, breathing things – Wabbi’s Continuous Security platform manages these changes, without disrupting the business.
What threats surrounding applications do you find the most concerning nowadays?
I don’t think anybody needs convincing that every organization and person is a potential target now. So, it’s not a specific threat that concerns me, but rather the scale of threats that our existing security processes cannot meet.
More tactically, we’ve seen this in the multi-million security practitioner deficit that has persisted for years: supply cannot keep up with demand. This means we must truly go to the mantra of security is everybody’s job. However, we must empower them to own it within the frameworks. We cannot just expect they will suddenly become security experts.
Research shows that 9 out of 10 breaches begin with defects in code. The AppSec market is highly fragmented with point solutions trying to catch up with modern development. Wabbi addresses the paradigm shift in how application security is done and drives this transition forward to build more resilient products and enterprises.
Do you think the recent global events altered the way people approach cybersecurity?
Absolutely. The shift to remote work drove a more holistic approach to cybersecurity that couldn’t focus just on co-location. This was not just the fact that people had to be able to do their work securely while remote, but also that many teams started being on asynchronous schedules to manage their work with their personal commitments. To keep companies secure, without hindering the ability to work, requires an approach to security that balances breach risk with all the other kinds of business risks, including the risk of hindering productivity.
You recently published your annual Continuous Security Research. Would you like to share some of the key insights?
What was most interesting is that everybody, and I mean everybody, knows it’s important to integrate security into the SDLC, with 98% placing high importance on it, 68% highly important, 30% critical, and even the remaining 2% noted it was somewhat important. However, there’s a clear disconnect between knowing and doing as only 15% report that security is always integrated from the beginning of the development lifecycle.
Additionally, the report found that there’s been a shift in mindset and thinking that integrated security is just about reducing breach risk, with the top two most important benefits of integrating security into software development lifecycles being improved productivity (70%) and cost savings (67%). There’s no doubt this reflects seeing the top impacts of poorly integrated security being delays in project delivery (72%) and financial loss (63%).
Optimistically, there was a best-in-class group that has empowered development teams to own application security, while still giving security accountability (31%), who are 32% less likely to report their organizations have released applications with security vulnerabilities in the past 12 months. In addition to being three times more likely to provide the development with security requirements and given opportunities for feedback in the planning stage of the SDLC and two times more likely to report these processes are fully automated, they are also almost twice more likely to have already adopted a continuous security strategy.
What dangers can users be exposed to if the software code does not meet the latest security standards?
Both software and security are living and breathing, which means it’s not enough to just adopt the latest security standards. Organizations must have a reliable way of communicating and enforcing them. Without a method to take a continuous approach to application security (the discipline of practices, processes, and tools used throughout the entire application lifecycle to protect applications from threats) the danger of insecure code is the danger of an unwitting breach. Not knowing whether or not your code meets the most current standards that you have set is one of the greatest dangers to any company.
What are some of the best practices organizations should follow when developing software or an application?
Good application security is not about delivering locked-up code, but rather a code that has followed a process to meet both the security and business requirements. When organizations shift their focus to ensuring code follows the process, they can make educated decisions to align security risk with business risk. This means that development teams need to be empowered to manage security as part of their day-to-day workflows so that security teams can focus on managing these risks and driving continuous improvement of the security processes.
Talking about individual users, what security tools do you think should be a part of everyone’s daily lives?
Good common sense is the best security tool that anybody can have. Of course, it’s important to leverage the security products that come pre-installed on our devices today, but it should not lull you into a false sense of confidence of being secured just because you have them turned on. Like everything else in life, taking a moment to pause and think twice can save a lot of work and headaches later.
What does the future hold for Wabbi?
Wabbi is changing the definition of how application security is done. It's no longer a siloed process or a step in a checklist. The world of application security is expanding out of the realm of just security and development through the checks and balances implemented in all the software and technology used by a company to deliver on the customer promise. This does not mean we are only building for the future of applications, but also for the past and present as every organization has its own processes and tolerances that a platform needs to be responsive to – not lock them into. As Wabbi snaps into the existing DevOps toolchain as the AppSec infrastructure layer, organizations will stop having to wonder if their secure development processes have been followed, they will know so they can keep delivering at the pace their customers demand.