Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

The VC View: The AppSec Evolution

Eliminating friction and making AppSec scalable starts with designing solutions built for developers

Eliminating friction and making AppSec scalable starts with designing solutions built for developers

While zero-days like the recent Spring4Shell create headlines, an unfortunate infosec reality is that hackers exploit already well-known vulnerabilities to breach networks. The CISA’s list of the Top Routinely Exploited Vulnerabilities  makes that abundantly clear. In 2020, 8 of the top twelve exploits were from 2019 or earlier. 

That’s why Application Security (AppSec) tooling like IAST/DAST scanners that can detect vulnerabilities in production workloads are so critical, and the evolution of the AppSec space is one of the most important post-pandemic security trends. 

Before we dive into the specifics of AppSec, let’s clear up a common misconception: AppSec and DevSecOps are complementary, but they are NOT the same. DevSecOps is about building security into the SDLC and “shifting left“, while AppSec is about finding, preventing, and fixing issues once workloads are deployed to production. 

Put simply: DevSecOps is about pre-deployment and AppSec is post-deployment.

Specifically, the AppSec category includes tools like IAST, DAST, RASP, WAFs, IPS/IDS, and bot management solutions. Traditionally, AppSec tooling was siloed between development (dev) and operations (ops). Dev implemented IAST agents while ops ran ad-hoc scans. Or, worst, security scans were simply tacked on post-deployment without any dev involvement at all. 

But in a world where DevOps culture and CICD pipelines are the norm, manual scans and siloed security. Businesses need AppSec solutions aligned with the collaborative and agile culture that has made DevOps so powerful. That means emphasizing collaboration, eliminating friction, and enabling automation. Ad-hoc scans and annual pen-tests are useful, but they don’t provide the same protection as tooling inherently part of the delivery pipeline. 

Additionally, false positives and false negatives are both major problems in the AppSec world. Flagging too many irrelevant vulnerabilities leads to alert fatigue and complacency. This is common for scanning practices that simply throw alerts based on version numbers or limited context. The flip side of that coin is false negatives are worse. Not alerting when a potential vulnerability is present can lead to a breach. 

With that in mind, what trends are moving AppSec in the right direction and shaping what the market will look like in the years to come? 

 Developer focus – This may be the single most important trend in the AppSec space over the next few years. For AppSec to become frictionless, the tooling must be built to meet the needs of modern developers. That means a focus on APIs, automation, and integrations with other tools developers use like Jira, Slack, and GitHub. Tromzo, a startup that has raised over $3 million from over 25 different CISOs, is a great example of a startup making progress in building developer-focused AppSec tooling. 

● Context is key – Exploits are a pattern of events. And what’s malicious in one context may be harmless in another. Understanding behavior in context is key to improving detection rates, reducing false positives, and identifying sophisticated attacks. To understand the context at the speed required to mitigate threats, AppSec tooling must integrate AI and ML effectively. Fortinet’s recent acquisition of the Bay-Area startup is one clear example of investment in integrating intelligence and context into AppSec . 

● Convergence – “Tool sprawl” is a real problem in the AppSec world. A single team could have different tooling for vulnerability scanning, WAFs, bot detection, and IPS/IDS. More tools mean more complexity, more friction, and more chances to get something wrong. All of that is bad for security. DevOps teams need tools that simplify workflows, and part of that is converging security functionality into a single platform. For example, the Contrast Security platform combines security scanning, assessment, threat detection, serverless security, and SCA into a single platform. 

To summarize, AppSec is key to protecting production workloads from modern threats, but there are still too many silos and too much friction in existing implementations.  Ad-hoc scans and tooling spread across teams with different responsibilities aren’t agile or scalable enough. 

Eliminating friction and making AppSec scalable starts with designing solutions built for developers. The AppSec platforms that do that and deliver the accuracy and convergence teams need will be the platforms best positioned to grow their market share in the years to come.

Written By

Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...