How “all-in-one” AppSec detection can increase your liability
Who doesn’t love an all-in-one solution?
All-in-one products have an allure that’s hard to deny. Take laundry, for example. Who doesn’t love the idea of one machine that saves space and gets the entire job done? It sounds like a great idea, but purchasers say they take longer, don’t work as well, and reduce flexibility.
History is littered with examples of other multi-purpose products that fail to deliver on consumer expectations. (2-in-1 shampoo and conditioner, anyone?) In some cases, they even make customer challenges worse.
For AppSec, all-in-one isn’t all you need
When it comes to AppSec, there’s also good reason to be cautious about all-in-one detection solutions. One solution that scans and finds vulnerabilities across the entirety of your code sounds like a no-brainer, right?
What you might not realize is that such “all-in-one” solutions are not quite as comprehensive as they seem. Even worse, they can actually leave you with costly liabilities.
More detections do not always mean lower risk
Broad-based detection solutions draw customers in with the promise of scanning for security risks across the entire scope of your code. They measure their success in the volume of detections they produce, I have mentioned this in a previous blog (Developers Are Not a Cost Center). But detections alone do not lower your risk.
Developers are usually at full capacity writing code that directly builds and expands your product. Triaging, prioritizing, and finding time for developers to fix code vulnerabilities is a challenge. Too often, critical issues end up overlooked or perpetually delayed.
Here’s the thing: if you know about security vulnerabilities but don’t fix them, you can find yourself liable to stiff legal penalties.
Consider the well-known SolarWinds case. In October 2023, the SEC filed fraud and internal control failures charges against the company and its CISO. The SEC maintains that SolarWinds staff and leadership failed to act on known vulnerabilities that led to the now infamous attack on the company’s Orion software.
Before you start detecting, know how you will remediate
As the SolarWinds case shows, failure to act can become a big problem for you. So before you go all in on the comprehensive, all-in-one detection solution, you need a plan to remediate. If you want this plan to work for developers, you need to put yourself in their shoes and think, “As a developer what would I want? What would I need? To fix this security issue right now.” Lowering risk is usually not the top priority for a developer so to get them to buy in, you probably need to serve a solution on a silver platter.
And remember, you don’t have to tackle the whole problem at once. Consider limiting your AppSec scanning to the biggest problem areas in your code and look for solutions that will enable you to fix vulnerabilities more quickly and—ideally—without draining your developer resources.