Q&A: Driving growth in the application security market

WhiteHat Security – an ethical hacking company – is 15 years old this year and is now experiencing something of a teenage growth spurt, both in terms of customers and headcount.

In what is an increasingly competitive market, we caught up with Craig Hinkley, who joined the company as CEO in 2015, to get the inside story on the application security space and what is driving the company.

WhiteHat is 15 this year. You must have been one of the earliest companies to establish an application security company and product, correct?

WhiteHat pioneered the Software-as-a-Service model for application security and we were first to combine the tools and technology with the expertise of security researchers to create actionable, accurate, continuous web security assessment at scale. That’s not all though; this year we will publish our 11th annual statistics report. Through this report, we were one of the first companies to bring concise, measurable data to the application security market.

We were also the first vendor to offer a security guarantee to our customers. While the biggest companies spend tens of millions of dollars per year on security, most vendors manage to avoid being held responsible for keeping their customers secure. We are prepared to offer up to $500,000 as a money back guarantee should a breach occur due to a vulnerability that WhiteHat should have identified.

How big is the application security market now?

It’s big, but in context to the size of the problem, there’s still a long runway for growth ahead of us. In CyberEdge Group’s 2014 Report, 62 per cent of respondents said they had a data breach in the previous 12 months. In 2015, that went to 71 per cent and that trend seems to be continuing.

Verizon’s Data Breach Investigations Report suggests that 35 per cent of data breaches result from web application vulnerabilities, yet according to Gartner, only 3 per cent of spending in IT is going towards web application security. So there’s definitely plenty of room for the market to grow and a clear need for continuous risk assessment that helps customers understand where their web applications are vulnerable.

What is driving the growth in the application security market?

Our research validates that one of the major drivers for spending on application security is compliance. This is particularly true in the highly regulated industries such as financial services, government, telecommunications, energy and health care. This is also especially relevant for companies developing public-facing web and mobile applications, because these apps interact directly with customers and therefore are subject to more stringent compliance and privacy requirements.

Another driver is the growing need for security leaders to be accountable to executive and board-level decision makers, who are now asking more questions about the security of their web applications. The C-suite and board are taking a big interest in understanding and managing risk; not a surprising trend, given the amount of publicity about the cost of major security breaches caused by insecure software.

In some cases, the growth in application security spend will come as a direct response to security incidents, or from a requirement to demonstrate security levels in response to customer demands. It is unfortunate that, rather than minimise the costs and risks of insecure software in a planned way, some organisations are still only acting after the damage has already been done.

Is it just the big online brands that need to worry about vulnerabilities?

Certainly not. There are mountains of both legacy code currently in existence and new code being created every day, riddled with vulnerabilities waiting to be exploited. This code may be in the largest, most well-known brands or that of smaller businesses. These vulnerabilities are not specific to industry verticals either. For example, our analysis shows that about 55 per cent of retail companies, 50 per cent of health care companies and 35 per cent of finance and insurance companies could be categorised as “always vulnerable” from a web application security standpoint.

How big a role do humans play in protecting web applications?

As automated as application security testing has become, human intelligence still plays a critical role in the delivery of accurate, actionable information. As a result, our Threat Research Centre, or TRC, team is a core element of the WhiteHat Security offering. When we scan a customer’s code, every potential security bug, defect or vulnerability is vetted, verified and validated by the Threat Research Centre. False positives are one of the big bugbears of many application security services that rely only on automated tools, while our TRC team is able to reduce false positives to almost zero.

Many of our competitors provide customers with a haystack of potential vulnerabilities and it is left up to the customer to attempt to work out which are real and critical. Our TRC team, made up of 150 ethical hackers, burn through the entire haystack to provide customers with only the red-hot needles that are the real vulnerabilities.

So what are the big challenges facing the application security market?

The biggest challenge that we face in this industry is that there is a huge talent deficit. Today’s market requirements for cyber security talent far exceeds their availability. If you’re not employed in the security market, it’s because you’re taking time off between jobs! What this means is that CISOs are struggling to hire the human resources they require to run a successful in-house cyber security programme. To overcome the talent shortage, CISOs are shifting their focus towards SaaS solutions and managed services.

They’re turning to vendors such as WhiteHat to deliver the security capabilities as an outcome, not just tools. CISOs are not struggling from a lack of tools, but rather a lack of people to operationalise the tools.

Image Credit: Ninescene / Shutterstock