AI is creating the next-gen of appsec companies
AI will make appsec more efficient and require less specialization
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m excited to announce that Susan Chiang is joining as our CISO at Headway! Her resume speaks for itself. I’ve known Susan for several years, and she brings a wealth of relevant security experience to our company at a critical time. I’m excited to partner with her!
If you want to join us and help us securely create a mental healthcare system that everyone can access, please contact me or apply on our website!
I’ve seen news about the “big 3” public application security companies. An activist investing is trying to sell Rapid7. Tenable is looking to go private. Qualys is reinventing itself — it’s focusing on attack surface management and cloud security. In my mind, these were the legacy application security companies. They have become less relevant as more companies have moved toward the cloud and agile. This has made it easy for companies like Snyk and Semgrep to fundamentally change the way that application security is done.
These changes with the “big 3” also show that we are fully exiting a phase in application security. This new phase will have developer-focused security tools like Snyk and Semgrep be the contenders rather than the disruptors as they become mainstream with increased adoption. So, what will the next generation of disruptors look like?
I believe that recent advancements in AI will find its strongest initial adoption in application security. This is likely contrary to the popular thought in security where they think it will find strong adoption in operationally intensive tasks, such as incident response and authentication threats. Although that may happen, these tasks already use a fair amount of machine learning and AI, so the recent advancements in LLMs will likely not make as material of a difference.
Before the recent surge in LLMs and genAI, I wrote about how appsec is dead and how reality has changed for appsec companies. It’s increasingly hard to build a valuable appsec company. It’s likely that most customers will get less value out of their current appsec tools and will continue to reduce their usage, and as a result, pay less. In other words, the market share and total addressable market are shrinking.
This doesn’t mean that the problems in appsec are solved or even easier to solve. It just means that the available tools aren’t built to solve a company’s current needs. If anything, appsec is becoming more important given the growth in supply chain attacks and usage of cloud-based applications. Applications are getting more complex, which also makes it hard for appsec tools to detect issues in a precise manner — having too many false negatives or positives creates too much operational work for teams and makes the tool not valuable because it creates more work than it’s worth. In short, application security tools haven’t been able to keep up with the pace of change in software and application development.
Keep reading with a 7-day free trial
Subscribe to Frankly Speaking to keep reading this post and get 7 days of free access to the full post archives.