SBN

Top 5 Application Security Takeaways from RSA Conference 2022

RSA Conference 2022 was held in San Francisco, June 6-8, 2022. The cybersecurity industry welcomed back RSA 2022 which was held in person at the Moscone Convention Center in San Francisco. Following a one year hiatus due to Covid, the conference was back, stronger and well-timed to address the developments over the recent past. With a huge emphasis in the industry on software supply chain attacks, here are five key application security takeaways from this years RSA Conference:

  1. Application security and software supply chain attacks dominated industry attention – the last eighteen months had seen a huge surge in software supply chain related breaches. Following incidents like SolarWinds, Kaseya attack, Colonial Pipeline and many others, there were additional and more recent attacks such as the Log4J and Lapsus$ attacks that impacted Samsung, Nvidia, Microsoft, Heroku, Travis CI and many more.
  1. RSA Conference adopted application security as a key topic area for program sessions – during the three days,  June 6-8, in addition to all the other product segments, DevSecOps and Software Integrity made up over 40 major track sessions and sandbox sessions that fell within the space. Sub-categories of Application Security, Open Source Security, Container Security and Cloud Security.
  1. Organizations are asking who is responsible for application security? Is it the development team or the security team? This year’s RSA conference featured segment specific sandbox areas. One of those was application security. One of the key presentations  was “Spreading Application Security Ownership Across the Entire Organization”. As the need for application security grows, this session sought to answer the questions like, “who is responsible for application security and code security in the organization?”. Actual titles or functional titles of application security engineer or product security engineer are starting to be populated in development or security teams as indicators that companies are getting serious about code security.
  1. Big box security vendors have added, or are adding application security and software supply chain security offerings to their solution portfolios. Vendors like Palo Alto Networks,Rapid7, Microsoft, Google, Amazon Cloud, Elastic Cloud etc. have added application security as well as API security capabilities.
  1. Code security solutions are an expanding category – secure code review, open source code security, software composition analysis and software bill of materials are adjacent categories of tools being added on to SAST and DAST tools.  Infrastructure as code (IaC) saw huge growth as enterprises are looking to automate the tedious task of configuring their applications in the cloud manually. 

What’s new from BluBracket?

In the week prior to RSA Conference 2022, BluBracket launched major enhancements to its cloud-based code security platform to address high risk content in code including secrets in code, code leaks, access governance risks and presence of PII to name a few. Some of the highlights included the ability to consolidate risks present in internally developed source code contained in git repos and combine those with external dependency risks from tools like Snyk and others. This provides an unprecedented  consolidated view of code risks. Additional capabilities include predefined open source recipes for BluBracket’s CLI tool making it easier for developers and AppSec engineers to look for risks in Confluence, S3 buckets and log files, in addition to source code.

For more information about BluBracket’s code security solution find out more here

*** This is a Security Bloggers Network syndicated blog from BluBracket: Code Security & Secret Detection authored by Pan Kamal. Read the original post at: https://blubracket.com/rsa-conference-2022-roundup-offers-a-lot-to-practitioners-of-devsecops-and-application-security/