| Disclaimer: I work at Sqreen > Security is tricky for many companies ... The solution is to have security controls that cross cut entire enterprises and give operators a place to control them This is definitely an area worth tackling, and one where multiple companies are recently growing. That's not the only issue though. Security has many levels and the landscape is historically filled with opaque practices and prices. That does not entice people to go forward with security audits or solutions. We've seen improvements on tooling with SAST but active security is largely pattern-based WAF or at the network level. This has poor signal/noise ratio and can't protect against more advanced attacks that target above the network layer (including HTTP). Recent developments target more knowledge of the application and the business logic itself. Facebook itself for example has internal tools to detect data leaks. Being inside the application is much more useful because they don't just see data flying by but have knowledge of context and call sites, which allows to register malicious calls on the spot, protect just in time (even against zero days because you hinge on behaviour), and show the exact line of code (including the call stack) where the vulnerability lies, allowing to surface and fix it, or even virtual patch the vulnerability live. > however what we have today is just a jumble of different solutions that consist more of blocking access rather than allowing the business to run securely. The goal of ASMs is precisely to solve that: those tools are kind of APMs like New Relic or Datadog, only geared towards security. Big names like Facebook or Google have their own internal tools, but a couple of independent solutions have emerged already, and I think that having those companies around is going to be a shift that will benefit everyone's security in the long run, due to their accessibility and ease of use compared to previously existing solutions. |