Qualys offers GPS guidance for developers at the application security crossroads

All developers care deeply about application [development] security.

Okay, that’s perhaps not always strictly true… let’s try again.

All developers care deeply about application functionality and speed, which they then carry through to a secondary level of concern related to Ops-level application manageability, flexibility and security.

How then should we engage with programmers on aspects of security, especially as it now straddles something of a crossroads brought about by the move to increasingly cloud-native cloud-first application development?

Security specialist Qualys [pronounced: KWAL-IS) has attempted to address the application development security subject head-on by hosting what probably ranks as the first tech event of 2020. 

Qualys Security Conference London 2020 ran this week in London with the tagline: application security at a crossroads… and isn’t it just?

The company billed the event as an opportunity to explore the ‘profound’ impact of digital transformation on the security industry and what it means for practitioners, partners and vendors. 

DevSecOps practitioners

Qualys is clearly focused on gaining attention from CIOs, CSOs and CTOs; but at ground level, the company says it works with network managers, cloud developers and security developers… or, as they are known these days, DevSecOps practitioners.

So for developers then… as we have noted before on the Computer Weekly Developer Network, the Qualys Web Application Scanning (WAS) 6.0 product now supports Swagger version 2.0 to allow programmers to streamline [security] assessments of REST APIs and get visibility of the security posture of mobile application ‘backends’ and Internet of Things (IoT) services.

NOTE: Swagger is an open source software framework backed by a considerable ecosystem of tools that helps developers design, build, document and consume RESTful web services.

Qualys president and chief product officer Sumedh Thakar used his London keynote slot to deliver a piece he called The Evolution of the Qualys Platform: Unveiling the Latest Updates and Next-Gen Initiatives.

Speaking at the London show this January… Thakar suggests that the process of digital transformation has moved from being a prototyping exploratory part of the business to, now in 2020, being something that IT development teams are truly rolling out. 

“Banks are now looking at technologies that would allow users to open an account simply by taking a selfie,” said Thakar — and so this will mean that these processes (which essentially run on applications) need to run on a secure backbone. The infrastructure that organisations will run on has become super-hybrid in order to be able to join all these new digital services together.

Cloud, containerisation and refactoring applications to be mobile friendly are just some of the major changes that need to happen in digitally disruptive environments. 

GPS security guidance for developers

Thakar is perhaps suggesting that if we can show developers that there are automated intelligence layers in place that will work across hybrid infrastructures and reduce the Mean Time To Remediation (MTTR), then developers might in fact take more interest in the security aspect of the systems they are working to engineer in the first place.

Thakar used a number of real world examples (from bank accounts that can be opened with nothing more than a selfie to intelligent motion-sensing doorbells) in an attempt to justify and validate the need for Qualys’ security technologies. With all examples tabled, Thakar led the audience forward to think about how system responses should be actioned.

He explained that the evolution of the Qualys platform has come about because SIEM, SOAR and log file analytics solutions (such as Splunk) were either never built to support a [security] data model that could be driven by Machine Learning (ML) or were not actually designed for security in the first place…. and log file analytics is acting on historical data so it is very much after the event

NOTE: Security Information & Event Management —- were always designed as log correlation specialists. Security Orchestration Automation & Response — again was too much of a point solution (but which Qualys is adding as a function directly as a playbook anyway.)

As programmers design and evolve an image in the cloud, these developers will only need to make one single API call to bring Qualys security layers to bear upon their cloud native applications, due to the company’s proximity to both Microsoft Azure and to Google Cloud Platform.

New (in terms of products) in 2020 is Qualys Respond, which includes an agent to deploy patches automatically to users’ devices… so again, this allows applications to feature remediation controls more intuitively.

Other developer tools from the company include the ability to use Qualys Browser Recorder, a free Google Chrome browser extension, to review scripts for navigating through complex authentication and business workflows in web applications.

Will DevSec get operationalised? 

So then… will developers ever truly embrace security issues and allow DevSecOps to put the Ops in operationalised? 

Qualys would like to think so… and engagement at the coal face along with an option to explain how complex authentication, the use of optimised security agents and streamlined security assessments/audits  can be made easy — dare we suggest almost joyful — will (very arguably) ultimately really make a difference for developers.