BlogApplication & API SecurityF5Application Delivery ControllersCloud SecurityCloudNetworkingSecurity Transformation
Blog4 minute read

Defend to Secure: A Journey

Read the musings of a web application security professional adjusting to the change in market as we come upon RSA 2023.

I've been given a great privilege this week — I was approved to go to the RSA conference this year. If you will be there as well, reach out. I mused to my wife that this would be the first conference I've gone to that I wasn't working at since the USENIX/LISA conference in December of 2000 in New Orleans. I started to get really excited around the idea of going to a conference and getting to attend sessions and talk to presenters and OEMs, but what was I hoping to get out of this experience?

By way of background, I come out of the application delivery space. Before I joined WWT, I spent 16 years at F5, in both pre and post sales roles. Even when I came to WWT, my focus and specialty was around application delivery. I came from a background of system administration and networking. These are common backgrounds for anyone who is in application delivery. Understanding ports and the protocols from layers 1 through 7 was vital, and still is.

There is something new though. Cloud and the explosion of microservices based architectures along with globalization are driving adoptions of APIs at a dizzying rate. Traditional methods for security have gaps that are being identified currently. New trends in development, newer and ever increasing demands for more agility and shorter time to market are driving things like "shift left" and things are very messy right now. It is a very exciting time as the way we have been doing things and the way we will do things are converging. 

App/API Sec or Cloud Security
Secure and defend: two sides of the same coin.

As they converge, "shift left" is the rallying cry to secure the code and the entire CI/CD pipeline. Many forces seem to be compelling this new focus on pipeline and code security. We are seeing new regulations requiring companies to identify the "ingredients" of their applications, and so Software Bill of Materials (SBOM) is born. This is a bubbling cauldron right now of new players and even new markets all to the "left" of where I have traditionally thought of security, on the defend side. The symbiosis of this market tread with where we have been is obvious, but understanding better the links between them is key to why RSA 2023 is exciting for me. 

This is coming at a critical inflection point in this market and industry right now. Cloud is no longer the disrupter it once was. It is quickly becoming the assumption, for better or for worse. What cannot be denied is that cloud had changed the way we do business and the way we consume data and services and these behaviors are leading to massive and disruptive changes in the industry. Terms like SSDLC, ASOC, SBOM and CSPM abound and are bandied about commonly but didn't exist in parlance of most people in IT security.

I hope to spend my time understanding these new spaces and delve into deep dives with the pertinent OEMs. I plan on being at all sessions I can on these topics, where WWT's customers are all struggling to deal with day-in and day-out. I'll be looking for OEMs that are driving integration and ease of consumption because as we all know a difficult to use solution is a solution that doesn't get used. I'm looking for those integrations that cross over and integrate the secure with the defend and provide customers with a wholistic and fully automated toolchain that doesn't just add another burden to the developers already burdened head. 

Follow along as I post my impressions of RSA 2023!

Technologies