Frankly Speaking 6/22/22 - AppSec is dead!

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Thanks for all the new signups, especially those who signed up for the paid version of Frankly Speaking! This week is the first week of premium content, so if you want to view the whole post, please subscribe.

LET’S BE FRANK

Ok, the title of the newsletter is a bit dramatic, but it’s hard to capture so many nuances in a Substack email header.

To be clear, I’m not saying that application security (appsec) is no longer relevant. Rather, I believe appsec as we know it is changing, so the current market will evolve and/or slowly shrink. The main assumption here is that most companies will trend toward an agile-style of application development and a cloud-based deployment model for that application. This isn’t so hard to believe because engineering resources are limited and having them spent on maintaining physical infrastructure is not strategic for a large majority of software-focused companies. With the cloud and SaaS, it is easier than ever to start and grow a software company!

The evolution and/or death of appsec is part of a bigger security paradigm shift created by organizational shifts to the cloud. I’ve written in the past that datacenter security is dead, and why smart VCs, i.e. ones that want to make money, shouldn’t invest in network security.

In this post, I’ll discuss a few topics:

• How the cloud is changing appsec and why appsec as a role is confusing but evolving

• Why current appsec tools are outdated and the “next-gen” tools won’t solve the problem

• Finally, where I believe appsec market is going

For those VCs who don’t want to sign up for the paid subscription for whatever reason, the conclusion is that you shouldn’t invest in appsec companies!

Why appsec is changing?

The shift in appsec draws a lot of parallels to the emergence of the security engineer, which I wrote about in my last newsletter. It’s really about an organization’s shift to the cloud. I don’t want to talk about this more because plenty of my previous newsletters explain why this is happening and its implications, so I encourage you to read those.