The Solution to Application Security’s Biggest Challenge, Vulnerability Remediation, May Finally Arrive

The importance of vulnerability management is simple — find and fix issues before an adversary finds and exploits them. Unfortunately, the remediation rates reported by leading application security vendors average only around 50% or far less. And when vulnerabilities are fixed it takes weeks or months. The rest of the vulnerabilities? They’re often never fixed and this has been the reality for many years [1][2][3][4][5].

The underlying reason for vulnerabilities not getting fixed is basically resource constraints. When application vulnerabilities are found, typically they must be fixed by an internal software development group, not the InfoSec team. And since software development resources are always scarce, allocation between vulnerability remediation and building new features is purely a business decision. And the needs of the business largely favor revenue generating features over security issues.

At the same time, many companies have hundreds and often thousands of websites in total with an untold number of code repositories supporting them. And in my experience working in application security for ~20 years, such as WhiteHat Security and 1000+ customers, only ~20% of their websites are routinely scanned for vulnerabilities. And this essentially the same for the underlying code repositories as well.

And the reason for the lack of pervasive application scanning is understandable: if a company already can’t keep up with their current remediation challenges, they’re certainly not going to want to spend more money to identify potentially thousands more vulnerabilities that they also can’t fix any time soon.

A scalable vulnerability remediation solution is what holds back pervasive application scanning, and leaves thousands of companies at risk without viable options. Finding a way to remediate vulnerabilities faster, easier, and cheaper would be absolutely monumental and push the entire application security industry forward. That’s why I’ve been focusing and researching this problem for well over a decade.

I’ve worked with WAF technology, RASP technology, browser technology, leveraging third-party development shops, and anything else that might work. All these approaches have their pros and cons, and do work in certain scenarios, but ultimately they have so far been unsuccessful in broad market adoption. More product innovation is needed.

AI technology provides an exciting opportunity to solve vulnerability remediation. We’re already seeing how developers are able to leverage AI to automatically generate code. In the same way, what if it was possible for AI to import Static Application Security Testing (SAST) results and automatically fix the code with an AI Agent built on LLM technology. Ideally, all a developer would need to do is review the fixed code and accept it for QA testing in a single click. This allows a developer to fix an issue while it's fresh in their mind in less than a minute, much better than getting a ticket 3 months after the code was written.  

There are at least a few vendors working on this approach. Recently I was introduced to a start-up called Amplify, who is building a product based on this exact concept. Amplify provides developers with an AI-powered tool that automatically fixes vulnerabilities in a way that would be equivalent to having a Sr. Developer and Sr. Security Engineer sitting and solving the problem together. The potential of this technology is exciting and will only get better over time. I believed in the founder, the vision, and implementation enough to become an Angel investor. 

I personally want to be part of solving this problem after spending most of my career in the application security industry. Success would enable every company to finally be able to scan their entire code repositories for vulnerabilities, and when vulnerabilities are found, they can do something about it quick and easy. Remediation rates would be drastically improved, mean-time-to-fix goes way down, and application breaches become rare. This is the entire goal of the application security industry — and it could be right around the corner!

Why InfoSec Vendors Force Customers to Work with Sales

If you visit practically any enterprise InfoSec vendor’s website and are interested in trying out their products or services without speaking to a sales rep first, good luck — this is rarely allowed. Even just getting pricing info from a vendor without engaging in a sales process is next to impossible. The vast majority require customers to email or fill out an online form, schedule a meeting with a sales rep, sit through a PowerPoint presentation, and THEN they’ll let customers try the product. And all of this happens in a carefully scripted and supervised manner. For many customers, this experience is often frustrating and avoided whenever possible.

I’ve long asked why sales leaders and reps insist on connecting in person with customers before even considering allowing demos or providing pricing. One explanation they give is if trials are allowed without an initial sales meeting, customers will struggle with installation, configuration, or usage and fail to comprehend ‘full’ value. Sales leaders are concerned about potentially losing deals to competitors who require a more hands-on white-glove process. 

As for pricing, sales reps will say if the website reveals pricing upfront and competitor’s websites don’t, customers might get sticker shock and avoid contacting them. This prevents sales reps from having an opportunity to demonstrate the product and justify the value while the customer looks into another solution. For these reasons and others, is supposedly why customers must endure a people-intensive, painstaking, pressured, slow, and frustrating sales process.

While these enterprise sales philosophies may have once made sense in a previous decade, today, they feel antiquated and inferior. For example, we see the sales models of big cloud service providers such as Amazon, Google, and Microsoft. They’re capable of collectively selling hundreds of billions of dollars a year in IT services to the smallest of the small and largest of the large organizations in the world, basically friction-free. At any time, an interested customer can spin up thousands, hundreds of thousands, and even millions of dollars worth of services without ever having to speak to a sales rep or anyone in minutes. Why can’t or why isn’t every InfoSec vendor following their example?

Is the value of today's InfoSec products really too complicated for customers to understand on their own? Are customers really incapable of figuring out how to deploy products without assistance from sales? Does making pricing info readily available actually drive customers away toward competitors? If so, then my contention is we have a serious and industry-wide product deficiency problem on our hands. And every problem is an opportunity to improve.

For the average start-up I’ve worked with, the sales department generally represents 12-18% of the overall company budget. And the marketing department budgets are roughly the same. Marketing spending is an important consideration here because they have to find and push hard to convince customers to engage in a sales-led process rather than just clicking a link. Then, often because a vendor’s sales reps don’t have an existing relationship with a customer needed to get their attention, they’ll rely on the channels (i.e., VARs). For this very reason, many customers prefer to evaluate and buy through one of their ‘trusted partners.’ Tack on another 3-30% of the cost of sales in channel commissions.

All of these sales and marketing costs add up and partially explain why enterprise security products are so expensive. And contribute to why they’re out of the price range of many small and medium businesses (SMBs). In the current model, it’s just not worth a vendor’s time to sell to SMBs unless they engage on their own. Personally, I see a huge opportunity for existing vendors and start-ups alike who successfully solve this problem. 

Imagine for a moment if an InfoSec vendor found a way to cut down this sales and marketing overhead by enabling a self-provisioned sales process, and invested those dollars directly into their product that can [gasp] sell itself! The overall cost of sales goes down, customer satisfaction goes up, deals are done quicker, the vendors become more competitive, and opens up new market opportunities (eg, SMBs). The sales apparatus of the big incumbent security vendors will have a difficult time making such a shift because the entire sales department will resist. Therefore, the advantage goes to the start-ups. And we’re recently just starting to see trends of InfoSec vendors selling through Amazon’s marketplace, for example. I’m hoping this is a trend.

InfoSec Market Labor Shortage and Predictions

Observations

From my personal experience and through conversations I’ve had with many other security pros, we’ve observed that the average level of competency among enterprise InfoSec personnel is either flat or decreasing. And this has been steadily taking place for several years. This occurs despite the plethora of widely accessible educational content and professional training options. This is important to note because in order to remain effective the operational environment of InfoSec also requires professionals to learn an ever-expanding knowledge base. As an every expert will attest, this is a significant challenge for every individual and organization.

Then as businesses digitize essentially every product and service in modern life, today’s IT environments have become incredibly sprawling and more complex by the day. This level of complexity, and the associated legacy IT backlog, makes it exceptionally difficult for practitioners to comprehend, monitor, and maintain robust security of the environments they’re meant to defend.


Causes
The InfoSec market is growing rapidly ($172B annually with 10-12% CAGR), leading to a high demand for skilled professionals across the corporate spectrum. The demand and subsequent skill gap are exacerbated by new and emerging technologies such as IT/OT, cloud, virtualization, microservices, blockchain, low-code/no-code, new programming languages and frameworks, and of course, AI/ML. 

Nobody can claim expertise in all these areas or even close. Additionally, InfoSec does not have structured and widely available pathways to onboard entry-level talent. Hiring managers also commonly struggle to accurately assess the level of expertise of potential hires due to the nuanced and complex nature of InfoSec skills.


Prediction
In the near term, there are no scalable options yet on the horizon to broadly address these labor issues, and we have every indication and expectation that the skill gap will remain and likely even widen. If so, and for lack of better options, we can only expect organizations to continue placing inadequately trained and inexperienced personnel to fill vacant security roles who operate closer to program managers. This is a reasonable approach given the current constraints.

Subsequently, many organizations lack confidence in their ability to sufficiently protect their environments from breaches — and for good reason. Many practitioner surveys published over the years support this observation. While some people will suggest substantive wage increases as an immediate solution, to which I don't necessarily disagree, doing so can only help individual organizations. The larger net effect can only serve to shift labor shortages from one area of the market to another and will do little to solve the overall industry shortage.

Opportunity

1. An increasing number of organizations and their security programs will rely upon Managed Security Service Providers (MSSPs) for third-party assistance — especially MSSPs who are willing to take on contractual liability. Of course, reliance on MSSPs does not necessarily solve the core challenges; it only transfers the security problems from organizations to the MSSPs. Security product innovation remains a crucial component of the market. The MSSP market winners will be those capable of offering a comprehensive suite of security controls capable of keeping up with an evolving threat landscape. That said, no amount of technology automation in any segment of InfoSec completely removes the need for human expertise. Therefore, the MSSPs who can best hire, train, and retain top talent will have the long-term competitive edge.
2. If an increasing percentage of InfoSec budgets are going to flow through MSSPs, this becomes an increasingly attractive go-to-market strategy for both incumbent security vendors and start-ups alike. Especially for those capable of integrating seamlessly into the current MSSPs technology stack and processes.
3. Businesses are finding that cyber-insurance is becoming compulsory. And it makes sense because if you feel that you can’t protect against the breach, at least protect against the monetary loss. So we’re going to see an expansion of cyber-insurance carriers, both large and start-ups, offering insurance packages that come with a suite of security solutions bundled in — for free. The question is, will they build these technologies themselves, partner for the capability, or make acquisitions?

My prediction is: All three.