The current state

The current state of Cloud & Application Security is very much around reactive solutions, the -SPM buzz has taken over: CSPM, ASPM, DSPM, AISPM, you name it.

But why did it came about? This is because one of the most difficult problems in the Security world. Security teams wants things patched and secured while Engineering teams wants operational freedom. During my army days we had some solutions where the security constraints were so high, Engineering teams didn’t like us very much.

So Posture Management came along with what I like to call: The Psychologist approach - gently guiding you to figure out what’s broken so you can fix it step by step.

This solution kinda worked, Engineering teams can keep driving the product forward without security pushing them back as much, but the actual security benefits leaves much to be desired - a lot of things are still left vulnerable for an attacker to exploit.

Also, the explosion of alerts causes Security teams to be fatigued while constantly fighting remediations and fixes.

How can we improve?

Let’s look at it like trying to build a large building, in order to keep the building from falling apart you need to build strong foundations. This is exactly the same with Security, best practices in security architecture and secure guardrails can save you a lot of problems down the line, and it is often most overlooked in the security world.

The future of Security

But still, security isn’t a one-stop shop. how do you keep your security intact when the company continues to grow and expand. This is what I define as the area of Proactive Security. This security paradigm is basically the question of: How do we cause bad things from being deployed to our environment.

It leaves us with the hard question though: How can we solve the tension between operational and secured. I predict that the person who answers that question will have a billion dollar company in his hands.