The cloud has changed corporate application development so much we are only now realizing the extent of the changes. Running on different servers, in someone else's datacenter is a big difference compared to running inside a protected perimeter, on a carefully monitored datacenter server attached to dedicated network connections that provide access to only a few. Most corporate application development is already aimed primarily at the Web. Application developers have raised their cadence so releases come very few days, not once or twice a year. AppSec now has to squeeze into tiny windows of time, fit into endlessly repeated rounds of action, result and re-evaluation, which has changed the jobs of nearly everyone involved in application security, from developers to SysAdmins. The speed, repetitiveness and changes in responsibility make it hard for traditional approaches to app sec to work, but most organizations find it disruptive to make a wholesale leap to DevOps or other agile development methods that are, by comparison, just as radical.
AppSec and threat-management guru Adam Shostack will examine the choices and lay out not only best practices in how to use both methods of app sec in one larger organization, but also provide criteria for deciding which should take precedence, when and for what, and how to structure an organization to adapt to an environment changing as quickly and drastically as the web apps themselves.
Click Here to be among the first to receive access to the associated whitepaper developed by Adam Shostack.