AppSec has a need for speed and continuous security

DetectifyJun 10, 2021

This is part 2 in a mini-series about the current paradigm shift in security towards a continuous security approach. Richard Carlsson, Detectify CEO, was on Enterprise Security Weekly to shed light on it and this article delves into the need for velocity to activate this strategy.

Watch the episode:

From scanning networks to scanning apps

A decade ago, scanning networks once a month was considered a best security practice. Fast forward to 2021 where most things are an app, the velocity at which security happens – especially breaking it – has changed and it’s time to think differently. You need to protect web apps as they’re the new perimeter, but shifting left isn’t enough for appsec. You need continuous security.

Part of this means having the right tools in the right places, and the other part needs security to be integrated in order for it to activate business innovation instead of stopping it.

Going from once a week to every deployment.

The best practice from modern cloud-native leaders is to run security tests using Detectify or another DAST every time something is deployed into production – especially since things can go from staging to production in as fast as 15-minutes. Ya that’s freakin’ fast!

This fraction of time doesn’t seem like a big difference, but new vulnerabilities are also discovered at a similar pace. Currently, the Detectify research team can build actively weaponized payloads from hacker-to-scanner in that same 15 to 25-minutes.

Fireeye reported that new critical vulnerability exploits are executed within the first 48 hours of an attack made available. Running vulnerability testing at a higher frequency will get you close to the pace of attackers and activate detection in time. Once found, vulnerability information must get to software engineers and development teams fast, and that requires collaboration to execute.

SO, Pause and check: How fast is your team able to bring in breaking security news information and build testing? Can it be improved?

The conventional advice is to shift security left, but this approach still positions security as a potential control checkpoint instead of a collaborative actor. You’ll lose velocity if security bugs are found but not prioritized whether there is not enough knowledge or desire for action. Consequently, it stops innovation from happening.

The cool kids are doing it with velocity

SaaS leaders are powered by collaborative domain driven development teams. They sign, code, ship, iterate continuously on development and security. If security bugs are found, it’s shared with the team right away for a risk assessment and into the backlog. They do it multiple times per day, and there are no major rollout processes. Check out how Spotify dispatches information in their DevOps practice.

Security is like a routine heart rate check, rather than used as a tollgate. Instead of stopping processes, security activates teams with information needed to continuously harden applications. Some bugs might get into production, and what matters most is that they are detected and fixed in time.

Get your copy of the e-guide to Modern Application Security.

Others remain afraid in security silos

In a less security-agile company, Rickard Carlsson says it’s common to hear that security testing frequency is not frequent at all, the typical answer is, “no, that’s something that we do on an annual penetration testing.”

If you’re in this camp, then you are falling behind the curve. At the rate at which vulnerability information flows, feedback to the software engineers may not reach them in time. It also means you aren’t staying up-to-date with what’s actually vulnerable vs exploitable.

Collaborate with external experts for more speed

Remember when we said Detectify’s research team builds hacker knowledge into the scanners in 15-minutes? How is that possible? Detectify leverages a private network of leading ethical hackers to crowdsource research and real hacker payloads into the vulnerability scanners.

You can work with an automated scanner to access ethical hacker knowledge, and complement this by starting a Responsible Disclosure Program that invites research to disclose information to send in more creative findings. This combination is effective to build up continuous security practice and put details in the hands of app owners before they’ve even heard that an exploit was possible.

So if you’re a security director with a need for speed, how do you integrate security?

Shifting left doesn’t necessarily encourage security to be considered on a continual basis into production. To become a more secure and speedy organization, you need continuous security that won’t block, which means:

ongoing security checks
constant reprioritization of all bugs
continuous integration and deployment of the needed fixes.

Without it all, you could end up with a worse security posture if you only keep security on the left.

4 ways to assess security to activate innovation:

Start by assessing whether security is a controller or an enabler for business development
Identify where security activities can help people do things instead of just monitoring them
put less emphasis on shifting left, and implement continuous security in production
include security improvements in feedback to product development

4 ways to add velocity to your security flow:

Work with security vendors that implements new security research within an hours of disclosure; or minutes when POCs are shared
Send immediate feedback from prod to engineering as soon as vulnerabilities are found
Run continuous security during production to keep track of wild threats
Source vulnerability information from external experts to save time and gain speed

Rickard Carlsson sums it well:

It’s a matter of hours until discovered vulnerabilities are being weaponized and scanned over the internet, which means this is the same velocity you need to act on. You need to engrain the whole notion of velocity into security to stay ahead of the curve.

Ultimately the fast-pace of vulnerability research discovery challenges traditional security. Tech organizations have to get used to the increasing velocity of security if they want to stay relevant and innovate.

How can Detectify help?

Detectify offers cloud-based web application security solutions that streamline vulnerability findings to application owners. Detectify collaborates with ethical hackers to source the latest security research. This means verified results and clearer visibility with less noise. With Detectify you will bring security up to speed and scale with development, and go to market safer. See it for yourself with a free 2-week trial. Sign up today.

Detectify

Complete External Attack Surface Management for AppSec and ProdSec teams.

Check out more content

Industry Insights

Product comparison: Detectify vs. Intruder

Intruder is a cloud-based vulnerability scanner that provides an automated overview of an organization’s attack surface. Its primary function is to proactively identify weaknesses across …

September 10, 2025

Industry Insights

How Detectify embraces the best of both DAST and ASM

There’s often a lack of understanding when it comes to Dynamic Application Security Testing (DAST) as a methodology versus DAST as a tool. How do …

February 10, 2025

Industry Insights

Sending billions of daily requests without breaking things with our rate limiter

At Detectify, we help customers secure their attack surface. To effectively and comprehensively test their assets, we must send a very high volume of requests …

January 23, 2025

Industry Insights

Inside the tech that continuously monitors our customers’ attack surface

As part of our Detectify under the hood blog series, we recently introduced our new engine framework and how it helped us address a critical …

January 09, 2025