Most security tools are too theoretical
That's why they churn customers, are easily replaceable, and fail
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Maybe it’s FY25 planning, or maybe I have been attending more security events. I’ve been thinking more about security tooling and what it gets us. We, as a community, complain about security tools, but we keep using them. In fact, we are spending more money on them year after year despite many security tools that seem to have short shelf lives or are just shelfware. Also, it feels that when we switch tools, they don’t actually solve problems for us. So, we end up in this endless cycle of going through tools, which has a substantial administrative overhead, e.g. procurement, sales calls, etc.
Why do security products churn so much? Sure, there are probably many reasons for this. One main reason that I see is that most products are incremental, and it’s not clear the original product solved a key problem in the first place. Appsec is a good example of this. It’s very easy to compare the vulnerabilities that Snyk catches versus those of its competitors like Semgrep, Socket, etc. On top of that, because these SaaS products are easy to onboard, they are also easy to offboard, making switching costs low. These companies are always in a constant battle royale to ensure that they find more vulnerabilities. That is the crux of the problem. Does that metric matter in determining whether this product is effective? By “effective,” I mean does it help the application security team get buy-in from the executive team and leadership to have resources to solve this problem? It also doesn’t help that compliance is a major driver for vulnerability management, which is a hard reason to get behind, especially if the goal is to get more investment — companies want to invest the least amount of money possible to check a box for compliance.
I’ve talked about the changing reality of appsec, and why I believe the industry is stagnant.
This leads to the next problem tools face. Too many tools promise to solve an organizational problem, and security leaders are using tools to solve that problem. The issue is that you can’t solve organizational problems with security tools. They might help identify those problems or assist in solving them, but buying a tool alone won’t solve the problem itself. For example, going back to application security. Having a tool that finds more vulnerabilities or gives better won’t make it so that engineers are more likely to fix it. Fixing vulnerabilities is a cultural issue that requires buy-in from multiple stakeholders and convincing them that doing so benefits the business. This is commonly lost on security where the focus is too much on risk reduction.
I talk a lot about how to shift away from risk to trust and why trust is more important than risk. However, I never explicitly mention the problem with thinking about security as a way to reduce risk. Of course, that’s a good part of security, but thinking of security as just that makes security’s goals feel too theoretical.
That’s why I believe so many security programs struggle to get buy-in, but so many security teams think like this that tools have to follow suit, i.e. the tools have to solve theoretical issues.
The theory of security
Using our running example of application security, it’s hard to understand why we should be fixing vulnerabilities at all. It seems that most vulnerabilities are hard to exploit. Maybe, fixing the critical and high vulnerabilities seems worthwhile as a way to improve code quality, but why fix the medium ones? Some might argue that the medium ones might become high, or a few of them together might become a critical vulnerability.
Keep reading with a 7-day free trial
Subscribe to Frankly Speaking to keep reading this post and get 7 days of free access to the full post archives.