The Resilient Cyber Podcast brings you conversations from diverse cybersecurity professionals ranging from executives, subject matter experts, and aspiring entrants. Today's diverse threat landscape requires systems that can withstand a variety of cyber incidents, remaining trustworthy and secure. Thank you for joining the Resilient Cyber Show. My name is Chris Hughes, and today I'm joined by Katie Norton. Katie, thanks for being here. Yeah, of course. Thanks for having me. I'm excited.
Yeah, I'm excited to chat. I started following you, I think, sometimes in the last year or so. And, you know, a lot of the content you were putting out around AppSec and software supply chain and things like that were catching my attention because it was stuff I was talking about or writing about, too, and kind of noticing in the industry myself.
But for folks that don't know you, don't know IDC, can you tell us a bit about your background as well as that as a team? Yeah, sure. Again, thanks for having me. So I am an industry analyst at IDC. For those who are not familiar with IDC, we're one of the premier market intelligence insight and data providers for actually almost 60 years now. We have our 60th IDC Directions Conference.
San Jose this April. And IDC has over 1,300 analysts worldwide, over 110 countries. So we are really able to provide sort of the global, regional, local, a lot of broad intelligence. And actually we've been recognized by the Institute of Influencer and Analyst Relations as the analyst firm of the year for the last five years. So well-recognized.
that way in terms of myself and where I fit in IDC. I actually, I work in our application development analyst group, which I think gives me a sort of a unique perspective on security in that I work with. All my peers are covering things like DevOps, testing, developer trends, open source, all those kinds of things. So I'm kind of coming at AppSec from more of that SDLC perspective. And so I lead our...
very long-winded DevSecOps, application vulnerability management and software supply chain security research. And I have been doing this for about three years now. And actually... My background has nothing to do with security or tech. It actually has to do more with the data part in that. My master's is in research administration, and I have done some work in data analytics, and I'm just generally a data nerd. I worked in institutional research at Central Michigan University for about 10 years.
Before I rode the great resignation wave in 2021 and moved out of the public sector and joined IDC. And so I've been like deep in. all things application security for, for a couple of years now. And just being a, I, what has helped me is I'm a quick learner and, and I'm a sponge and, and my husband's a developer and works in IT apps. So.
his whole career. So he's a good sounding board, especially early on when I was like, what's Kubernetes? Yeah, that's actually interesting. So first off, I didn't realize IDC was that big. That's amazing. And then your background actually probably serves you in some ways because you get to look at security with a fresh set of eyes versus someone who maybe has kind of been trenchant for 20, 25, 30 years, whatever the case is.
Uh, and then your husband, I guarantee it's, uh, yeah, he's like, you know, yeah, we, we hate you guys in security. You make our life hell, which we're going to talk about a little bit later in terms of developer tax that you called it. Um, but yeah, a lot of painful, uh, you know, uh, lessons learned between us and developers. over the years. Yeah, a big sounding board for conversations.
Yeah, that's awesome. So I wanted to ask, you know, before we kind of talk about 2025 and some of the things you're going to be focusing on in terms of research or trends, things like that, you know, over the past year, you know, in 2024, what were some of the key things you saw, different themes? You know, you've seen it unfold and maybe even some things that you were a bit surprised by that you didn't anticipate.
Yeah, actually, I take what's actually been a really good pulse is my I had a couple of like hot takes I felt like in my conversations at RSA last year, and they were sort of like. that midway point, you know, our state is kind of that midway point through the year. And I still find that. I'm seeing what I was starting to feel come true in a lot of ways and start to materialize more in 2025. And I think two of the biggest things I felt like I was talking about last year was one was a lot of.
on software supply chain, open source, security. I think my hot take at RSA was like traditional SCAs in its flop era, trying to be Gen Z. gen a of me but that like uh i've really seen this flip of open source security focus on like more proactive approaches and that's where i've seen a lot of innovative technology where we've seen a lot of disruption in the SEA market. We've seen, you know, vendors like Chain Guard, Endor Labs.
Socket, all of these folks kind of come out with big funding and trying to approach these different aspects of how to make open source more secure in the enterprise. that just reactive manifest scanning as it's kind of traditionally been done isn't while still necessary, isn't like totally sufficient anymore. And I've continued to see that in trends of. more focus on like malware and malicious packages and just kind of that scope of what securing open source.
has meant it has really expanded I think in 2024 and we continue to see that going forward and then the other big one and and then we can pause if you want to talk more about either of them was Just the market itself is shifting. AppSec has traditionally been very siloed in lots of categories. There is a world where it's like... AST and CNAP were like in cloud security were like as far apart as they could possibly be. And then you had your DevOps platforms.
and observability. And you've kind of had all of these distinct spaces. And now, I mean, I really saw the momentum pick up. like around the point of RSA. And that's only continued where I feel like all of these spaces are like bullet trains heading headfirst towards each other in that.
we're going to be in a world this was my my second rsa hot take was that like we're going to be a world and i don't know arbitrary three to five years where like your traditional AST vendors and say your traditional cloud security vendors and your DevOps vendors and your observability vendors, the overlap between those products as it comes to AppSec is going to be greater than it is.
different. And that's going to prompt organizations when they're making their buying decisions and designing their budgets that in a world where you might have had an AST platform and like a CNAP that... I think there's going to be a world where you might have one, right? And who you go with kind of depends on your stack and your apps and your approach to all of those things. These spaces are much more munched together than they are distinct separate categories than they were a few years ago.
Yeah, definitely. I agree with everything you said. And, you know, so I'm a little biased, first off, because I'm the chief security advisor at Indoor Labs. But, you know, I've been writing and talking about software supply chain for several years and like including a book on a topic. And they caught my attention because they were integrating with developer workflows and taking, you know.
Beyond just finding things, they were taking the next step of providing context around reachability and exploitability, exploitation, et cetera, and integrating with developer workflows, those kinds of things. And then ChainGuard, I'm a big fan. I've done a lot of webinars and stuff with them over the years where they kind of leaned into this.
by design and zero CVEs and actually, you know, having you start from a secure foundation rather than just finding problems faster. So they've really gotten a lot of great traction there and I'm familiar with Socket and many of the others too. I agree with you there. I think we've seen like a new wave of software composition. analysis and AppSec tools.
And then your second topic is actually something that I've seen play out quite a bit in the industry over the past years, the kind of debate between platforms versus point products or best of breed versus a platform. And then there's kind of a lot of nuance in that conversation around the best capability versus...
uh consolidation and cost savings and optimization and efficiency i'm curious as you're navigating this interacting with like you know the vendors the past year uh i'm sure some are making the argument that hey we're the best of breed we do all the things that the platform can't do you know etc and then the other one's saying hey
hey, we bring it all together. We help kind of create the quote unquote single pane of glass and offer cost savings. You know, how have you encountered those conversations of kind of platformization versus point products or best of breed products? Yeah. I mean, I will say some of it is like tale as old as time in that, you know.
Starting out, I was covering DevOps along with DevSecOps. And so, you know, I spent a good year or two covering like your CICD and DevOps platform vendors in addition to the security stuff. That was actually, I think has kind of helped in how I view what's happening here. Because I mean, that platformization thing has been happening.
even earlier on the the devops side for a while now and um i think the main thing is that i don't it's never gonna go away it's like a pendulum right like it kind of just swings back and forth um I do think the everybody is consolidating is a little bit... I mean, we have, you know, in IDC, we do a ton of survey research and obviously I talk to a lot of end user organizations too, and many are consolidating and, and there are.
benefits to a platform, right? And we'll kind of, I think we're going to talk a little bit about like ASPM and platform engineering and both those things I think play into this in that, you know. platforms help eliminate. Some of the big AppSec problems that we have right now, which are, you know, a lot of the reason we're in most organizations are in the scenario they're in is because they've used a whole bunch of disparate, unconnected.
tools that don't communicate with each other and not only tools, but teams too, right? That like, despite the concept of DevSecOps being almost. 10 years old now, roughly, I still consistently hear in my conversations and my survey data that there is still a lot of tension between developers, operations, and security. But the best of breed pattern is still...
It still has value. I think that's where a lot of innovation comes out of and the common market patterns, right? You have these startups pop up that are addressing something in a way that hasn't been looked at before and trying to. disrupt a space. And then a lot of times either they build a platform or they get absorbed into a platform, right? And so these patterns continue. I do think platform engineering is a concept. actually enables organizations, especially enterprises, to
lean into Best of Breed a little bit more, especially if they have a very mature platform engineering team and a well-developed internal developer platform. It actually, I think, allows you to almost make your own platform a little more easily than... may have been able to be done in the past. So I think there's some of that there that helps on the best of breed, maybe swings that pendulum slightly closer to that best of breed and its value.
I think it would be foolish to say that we're not currently in a strong platform market when you look at AppSec in particular. Yeah, I think it's a good, you know, you made a few good points that are worth highlighting. First off is like, this is not unique just to AppSec. Like it may be kind of trending in AppSec right now, but this is a tale as always time when it comes to security or even tech more broadly. It's cyclical. You have these.
organizations that come out these innovators they make a point solution that's very innovative and capable initially then they grow and add more capabilities either organically through development or they acquire other companies right and then they kind of become a platform themselves or they get acquired into a platform for example
And then it's cyclical. Again, new capabilities come out, new tools, new vendors. They build themselves out. They either get acquired or they build out a platform. And it's just cyclical. There's never going to be one tool or one vendor to roll them all in security.
And yeah, it's kind of a false dichotomy. And there's some great pieces out there. I've tried to write a few about this, but there's also some great stuff from my friend Ross at Venture and Security wrote a good article about this topic to the cyclical nature of that. So it's a great point made. And then as you point out, I like the point of it.
It's not just the tools, it's the organizational workflows and the team dynamics and things like that that play a part too. That often gets lost in the conversation of thinking everything is kind of a tool-centric approach to resolving it where it comes down to people and teams and communication workflows.
Organizational politics and a lot of things that you wouldn't think are at play are actually key to the conversation, too. So we talked about, you know, you mentioned ASPM, platform engineering. And those are areas that you kind of highlighted in a piece you had.
recently put on LinkedIn where you talked about your key research areas going into the new year. You put application security posture management, platform engineering, SBOM management, and securing AI applications. And of course, you know, those are all connected to some extent in large environments. I'm curious. What made you settle on those? And let's maybe kind of discuss each one a little bit. Yeah, sure. You know, each year as an analyst, we kind of so in my research practice, I have.
kind of full control over my research that I published into that program. And I try... to make sure that I'm, you know, touching on things that are relevant to both end users and, you know, to vendors because those are the folks who are reading what I have to write. And these are things that...
Usually, as I go throughout the year, I kind of look for trends in my conversations, both, you know, again, vendor and user stuff. And I read a ton, right? So I'm always reading. I read your newsletter. I read, you know, I read. I consume a lot of information. And so I look at that. And I'm also looking at areas where I feel like there's not enough that's been said, particularly from the analyst perspective. And so that's where I'm looking at. especially the first two. So ASPM.
This year, I am launching my very first vendor evaluation. I have not done one before. And so I decided the topic to do it on was ASPM platforms because this... space has matured and evolved quite rapidly. I mean, I only... I remember, I think, you know, probably was starting to get introduced early on to ASPM, maybe in like late 2022, where I started talking. especially in that pure play ASPM space, vendors like Apiro, and as that terminology...
evolved, I saw a rapid adoption of it. And actually, I saw a lot of pivoting vendors that were maybe labeling themselves as something else that have really sort of latched on to that. And I think You know, there's benefit to that. Obviously, as analysts, I'm, you know, complicit in the acronym game, right? We're part of this. But I think it helps vendors identify, which I think helps with. with sales and marketing and how to communicate your brand. But the one thing I've found is that what ASPM
actually means and for the buyer, what are the capabilities that should be under that umbrella? What should you be looking for is kind of. gray and there's a very wide spectrum of what that means and the and interestingly there is a So in my evaluation, so the first process is like qualification. And that list of vendors that I sent.
you know um those things out to i think it was over 30 and that's a huge number for a really pretty brand new category and um and they span from like again those pure play platforms to AST vendors to vulnerability management, that CTEM exposure management kind of group. And then the CNAP space as well has increasingly...
moved into that space. I wrote about Wiz acquiring Daz before the holidays and those moves there. And I mean, CrowdStrike moved in there pretty early too with Bionic. And so there's a really interesting mix. vendors. And so since now I looked at it, I was like, you know what, my peers at Gartner and Forrester have yet to do an evaluation in this space. So I kind of was like, I'm going to stick my... flagging the moon and try to, I think it was something that would really benefit.
both the vendors in this space to be able to be positioned, but also buyers really more than anything to help them understand what are sort of that. that range of capabilities and help them align their needs. Because the mid-market needs, and I think this is often a common conversation under ASPM, the mid-market and enterprise, ASPM kind of solves two.
different problems, in my opinion. And so I'm just trying to kind of sort of be put some foundational research down there that doesn't currently exist. Yeah, I think I think that was a great, great way to kind of summarize it is we saw the term start to take hold and then vendors in the AppSec space, some, you know.
initially routed around it and kind of claimed to be doing it from the onset. Others pivoted to it. Others perhaps distanced themselves saying, hey, we're not going to kind of align with this term quite yet. And then everyone you asked had a different opinion. What is ASPM in terms of, you know,
features, functionalities, capabilities, everyone had different perspective on that. So it's definitely helpful to kind of rally around like a unified definition of that or how to look at it from a buyer's perspective. And as much as we hate the acronyms, they are helpful sometimes to communications. capabilities and things like that. So the platform engineering piece, you talked about this in terms of enabling kind of
building these security platforms internally depending on the enterprise and empowering developers with these, you know, kind of consolidated shared services, you know, security services for the enterprise. How do you see this one playing out in 2025? Yeah. So the reason I really wanted to do some research this year in platform engineering. Again, my DevOps background has had me keenly interested in this topic for the last couple of years. But actually what I find most interesting is that...
When I talk to end users, you know, I go to events like KubeCon and more practitioner-oriented events. And when you... Hear them talk about platform engineering, security and compliance and the guardrails around that are always like one of the first points of conversation from the end user. And when you ask them about how they've developed.
their platform, what are the capabilities they're including. In some survey research I did, the very top capability out of a list of 15 that surfaced with a real good margin at the top was security. But yet when I... look at the marketing messaging from AppSec, there's very few that are positioning how they fit within that context, right? Because platform engineering per sort of our earlier conversation. that whole there's no there is no
Like, here's your platform, right? I mean, there's some, you could definitely argue a lot of the like past platforms, the Heroku's of the world, like can serve as a really foundational, you know, internal developer platform. But... A lot of times organizations are building these and assembling them from a variety of, you know, tools and functions. And so I think it's going to be what I want to try to communicate is how secure and how security vendors should and could. position themselves within
these concepts because it is a strong pattern. I think we see adoption roughly around like 80% of organizations have indicated that they're either kind of already have a platform team and an internal developer platform, or they're in the process of building one. So it's really how like. DevOps and DevSecOps conceptually has evolved and is being executed, really. We always talk about platform engineering as sort of like how you scale and enable DevOps in enterprise organizations.
organization and not that whole there's a couple years ago that whole like DevOps is dead debate and so we look at it as more as like how it's enabling some of the challenges of DevOps particularly in the enterprise so yeah so I think it's important Because organizations are so focused on security, but I don't think security vendors are leaning into that as much as they could and should.
Yeah, I agree with that. So I've been doing a lot of work in my career. You know, a lot of my work happens to be in the federal and Department of Defense space, including, you know, commercial space, too. And they have a phrase they call software factories, which is akin to platform engineering or platform as a service type environments. And the reason that security and compliance always comes up as a core part of that conversation is.
Most developers you interact with or communicate with, they don't want to worry about all the minutia of the compliance and the security, things like that. So you build in PavePass and inheriting security controls and your compliance benefits of using a secure compliant platform, things like that.
offer these security tools and services as a kind of a shared service from the platform to developer communities. And it makes their life much easier. They can focus on their core competencies of developing the application rather than all the security and compliance things that they don't want to deal with.
alone most security folks don't want to deal with sometimes. So I think that was well said. And so the other piece you have in here is SBOM management. This one is a bit of a polarizing topic. I'll admit, you know, when we first saw the, you know, the federal cybersecurity EO.
1-4-0-2-8, it was back then, you know, S-bomb was a hot topic. Everyone was talking about S-bomb. You got to have S-bombs, things like that. Now it's become this kind of polarizing topic where some, like for example, Dan at Chain Guard, you know, takes pretty spicy takes about S-bomb. You know, some folks kind of like...
considered a unicorn, right? We heard about it all the time, but no one's actually doing it or using it where others, you know, say, Hey, we are doing this like Snyder electric and Cassie and folks over there often are talking about S bombs and S bomb management. So, you know, why this topic and what are you seeing on this one? Yeah. Yeah. This is another area. So we have a new document. It's kind of, it's a vendor evaluation light, I guess you would call it in the sense of not actually.
evaluating how those evaluations group people as like leaders and contenders. This is more like a capabilities matrix, if you will. And it helps kind of buyers understand, you know, you look at it. spectrum of vendors and what are sort of the core capabilities under the umbrella of S-bomb management and what does that look like across the market and what's available. And that was kind of what I wanted to try to do under this topic this year, because I think...
S-bomb management platforms have matured to the point now where there are some, like, core players here, right? Like, you know... Cybeats, Manifest, ServiceNow has a product here. There's a whole bunch of, and even in the AST players have increasingly started to pick up capabilities under SBOM management. For me, I think certainly there is still debate to be had around the...
ROI or the outcomes of SBOMs are, is this a necessary practice for all organizations? There's a lot of conversation still yet to be had. And also, I think. the current administration and what happens there is going to have a significant impact on the trajectory of SBOM. Because, you know, like...
Jen Easterly and Alan Friedman and all the work that they've done under CISA under the last administration, it's yet to be determined what's going to happen there, right? But I still think... from the interactions i've had with the vendors in the space and i do get inquiries from end users as well there are still certain particular industries and sectors like obviously those producing like um products that you know have to align with the fda's regulations the um
The automotive industry seems to be really leaning into SBOM and some of these bigger organizations. And they need tools to be able, if you don't have an SBOM management tool, you will never. actually get any ROI out of them. I did a whole bunch of survey work on SBOMs to try to get a pulse on sort of like where organizations were at. And there was like, I want to say.
that only 20% of the respondents were using an SBOM management platform, which actually, when I say only, that's, I thought was pretty high for where we're at with those tools. But I mean, there were folks. very much admitting to storing s bombs in the most common were s3 buckets or there are people that just said like on the developer's laptop there or a sharepoint or google drive and it's like if you can If you can't aggregate...
search, kind of some of the ASPM concepts, right? Be able to aggregate, search, normalize, and be able to actually utilize the data, then they're worthless, right? Then it's a checkbox activity that I have an S-bomb because somebody said I had to have it. actually do want to make SBOMs useful because there are use cases for them and there are organizations that do get value out of.
producing consuming and and leveraging those s bombs for things like not only some for vulnerability management i think that's kind of like the you know i think actually probably the weakest and less important use case, I think things like procurement, third-party risk, those kinds of factors, like when you're as an organization making buying decisions and just around.
pushing towards more software transparency, I still think there's value for SBOM. So that's kind of what I'm trying to uncover in my research. That last leg of S-bombs, right? It's less so about producing them. It's about, okay, what do you do? I've got an S-bomb, now what?
Yeah, that was kind of the theme. And that's why I think it's become a polarizing topic because everyone kind of said, okay, great. Like we had this big rush to like, you know, produce these artifacts, get them. Now, what do we actually do with them? And a lot of organizations, like you said, are kind of doing it as a checkbox activity where they make.
get it they store it but they don't actually get get them iteratively when new software versions come out or new components are added to a product etc uh or they're not acting on them you know in the context of whether it's vulnerability management or integrating with procurement and acquisitions you know things like that m&a
for example, potentially. So it kind of remains to be seen in terms of where it will go next. And I agree with you. It got early traction due to kind of being driven from a regulatory compliance perspective, whether that continues now with this kind of new administration. and more of a deregulatory type landscape that we're heading into.
remains to be seen. So it's going to be interesting to see what happens with SBOM management. So the last one that you had in that kind of quad of items is securing AI applications. And this one is a pretty broad one because you kind of have... AI for security, and then you have securing AI. And then within that, you have different aspects of AI security, whether it's the model, interacting with third-party SaaS AI vendors, you know.
prompt injection, et cetera. Like there's a lot of different risks and type of things that different AI security vendors are focusing on. So what are your thoughts on this one? Yeah, yeah. And I agree with you. There's kind of this like dual nature, right, of AI in AppSec, right? How you use AI to make AppSec better, but then also how do you secure the AI that, you know, folks are... integrating at a rapid pace into their applications. And so this...
I want to focus a little more on that, like that securing AI piece, right? Because I think that's moving a little bit more slowly than the adding AI because almost every tool now has added. at least your checkbox, chatbot, chat GPT integration to some that have used AI in more sophisticated ways. But I think what's important... here is I want to dive into the different ways and vendors are providing capabilities here. What are some of the things that you should...
or could use or leverage to secure your AI applications? Cause it's kind of popping up in like pockets. I mean, you've got some vendors out there that are just like, they're coming to market as like we're an AI. security AppSec vendor, like Protect AI is a good example there. I think it's Noma Security is a new one. I think that came out not that long ago. Some folks that are just providing those platforms, right? But we're...
When you, to this tales old of time conversation, and when you think about application security, that when you think long-term about it. You don't want to understand the security of the AI components apart from all of the rest of the code and how the running. I mean, once the application is in production and running, I mean, all of those.
parts interact. And so having separate tools is great, especially in the beginning, you're getting probably those experts that have been deep in this space and really been thinking about this problem. But what I'm really looking for is to see... you know, your traditional AppSec vendors start to provide those capabilities to be able to secure your AI application. What does that look like? I mean, I've seen things from, you know, just the ability to scan.
for, you know, scan models for vulnerabilities, you know, Endor Labs, for instance, JFrog, they've all done some stuff around, you know, being able to understand what open source models you're bringing into your application and that whole AI supply chain. you know, part of the problem. And Tafar is also the runtime, right? Like AI firewalls and things to kind of...
protect the running application itself from things like you can't really check for prompt injection during the development process, right? So there's just like regular AppSec, there's this whole spectrum. of capabilities that you need to think about in protecting these applications. But kind of leaning into the fact that I think that our app sectors need to be.
thinking about how they're going to help secure these applications, because in the long term, just like every other pattern, this stuff's going to roll up, right? That AI, securing AI applications is not going to be its own.
category forever, right? Yeah, no, I agree. It completely goes back to the cyclical nature we talked about. We're going to have these kind of bespoke uh best of breed platform or point solutions that come out and whether it's you know and you name some of the companies there's others there's like hidden there there's lasso there's a bunch of good ones out there and they're doing different aspects of ai security but eventually i think that those will
become you know part of bigger players or they'll grow to become platforms themselves and kind of take on additional capabilities and functionality um and it's that cyclical nature like you said it's just going to be eventually you know i've had rob van de veer on before if you've ever chatted with him he's really great around ai AI security and he, I'll butcher it, but he basically says like AI is essentially, it's just software and data.
Like it's the same, you know, these fundamental concepts are still really relevant. And that's why you see when you look at like guidance from OWASP and others, a lot of the fundamental practices that we're used to in different areas of AppSec are still very relevant here for AI security. There's some nuances with models.
and things like that, of course. But a lot of the practices are still very relevant. Yeah, I was gonna say, especially on the supply chain side, that it actually kind of baffles me how little we've done into... as a industry and making those connections and providing the capability, you know, just translating what we're doing for open source packages to models. It's starting to happen, but it's like, unfortunately, we're going to have to have the AI log for J for organization.
to like really care I think about this because at this point some a lot of the threats are theoretical or like a researcher exploited you know was able to to make an exploit and And the like versus we haven't had that big bang.
Yeah, it's it's going to happen. Exactly. Yeah, I hate to say it, but it is coming. And it's like when you look at like, you know, you just take a step back and look like hugging face in this community where people can contribute models and like, you know, things in an open source capacity. It sounds like, oh, wow, this is a lot.
like software supply chain and open source software security a lot of the same concepts are still relevant here we'll probably see similar attack scenarios play out and we've already started to see you know model poisoning and people kind of contributing malicious models to these platforms so we're heading in that direction already
And we joked about this earlier. We talked about the kind of developer tax and you had published some reports, I think, from IDC talking about this developer tax. And I think you said. I have to get the exact numbers, but it was something like, you know, 50% of developers spend nearly 20% of their time on weekly in terms of security tasks. And it's roughly equating to about $28,000 per developer per year for organizations. And we've seen these trends.
We talked about this earlier, the next wave of SCA, but earlier on, it was shift left, right? Throw all the tools in the pipeline, SAS, SCA, infrastructures, code scanning, you name it. And it just dumped this massive burden on developers. And we talked about organizations.
organizational communication, they started to resent us, right? DevSecOps was supposed to break down silos and... build this you know kind of kumbaya relationship between us and developers and it did the opposite where they started dreading us they didn't want to interact with us every time they interacted with us we're kind of adding more work to their plate you know the quote-unquote office of no as we always hear it called
sysdeveloper attacks that you wrote about yeah yeah we actually so we did this research um in uh partnership with jfrog and we were looking at uh really trying to understand the amount of time that developers were spending on security because we didn't... see a whole lot of good research that was out there on this. And so we did a really in-depth survey of developers and folks that lead development teams to try to understand how are they spending their time as it works.
relates to security. And they did. They spend a significant amount. And when you multiply that by how much developers are not cheap employees by any means, and a lot of...
time and money gets spent on security-related tasks, but yet we still have all of these issues and problems, right? And part of the issue here and what we really kind of... uncovered and dug out was it's most of this time is stuff related to like inefficiency not out of necessity right that this time really probably could be minimized if you're using the right tools that integrate actually into developer workflows and provide developers with low noise.
high validity findings because most developers as much as we joke that like you know they don't care about security they do but what they don't want to deal with is just like a bunch of When you're thrown a bunch of information that you have to spend a lot of time figuring out and then end up that it doesn't really mean anything.
that that's where you create that, that cycle of, of distrust. And, and what we really saw in the research was where a lot of this time was, is in what I was kind of calling like sense-making, right? Like there were most of. Like when we would say like, okay, you spend X amount of hours on SAS and then like across these different things, what are, you know, where is that time spent? And most of it is that trying to understand.
actually fixing the issue in the code was always very minimal. And most people said that they were presented with, they didn't have to go and like seek out. the results or the data it seemed like they had good flows of information as it related to security but it's that like figuring out what it is i have to do that was really the
big time suck as it relates to developers and security. And so... I think the important part here is, and I really tied this actually to some later research I did around auto remediation and sort of the trends we've seen there. the capabilities and vendors in that space is like, I really look at AI and auto remediation as that bridge that's going to help reduce that sense making time. And the important thing here is.
When you think about, people will say, vendors will say, oh, you can tie us into CICD or, oh, here's the JIRA connection, right? This is how we're developer friendly. And if you really understood developers. They don't want to be in JIRA. That's context switching for them. Developers are working in IDEs and CLIs and in GitHub or GitLab or, you know, in the pull request, merge request, right?
that's where this information needs to go. And, and so, and I've seen that trend finally start to tick up. You have to have JIRA because unfortunately there are still, that's where a lot of organizations are still at. But when you look at the future and where you. actually integrate into developer workflows. It's stuff like the IDE. It's the pull request. It's the...
The developer portal, right? Like backstage, those are the tools that developers are doing their daily work at. And so security vendors need to think about like, how do I present them with accurate? high validity information in the actual tools that, that they're doing their work in. That's how you get them to produce secure code without, you know, all of this.
tension that we currently have. Yeah. I think that's a lot of great points you made there is, you know, that's why I think we've seen what you're kind of referring to in a broad level is context. Like, is it, is it. known to be exploited? Is it exploitable like EPSS, for example? Is it reachable?
And then runtime, right? Kind of shifting from left to bang to looking at runtime environments and rather than cramming everything in the pipeline, starting to look at runtime environments. And we saw 40,000 plus CVEs last year. The number is I think over 200.
some thousand known vulnerabilities in the NVD, for example, organizations can't keep up and the tools are producing too many findings. So they need to see, hey, what do I really need to focus on? What actually matters? And I share the optimism with you in terms of Gen AI and AI more broadly in terms of
of whether it's auto-remediation or at least context enrichment around vulnerabilities and things that developers need to focus on and putting it in a language that they can understand is accessible.
And then, you know, the point about integrating with the tools that they actually use and like to use rather than ticketing systems that just feel like it creates more work for them is another great point. So I wanted to ask you, you know, we're coming up on the end of the time here almost, but I wanted to ask you, you recently talked about, I think I saw.
you say something in regard to how storytelling is critical to your work as an industry analyst. And I'm curious why you think that is. And I also think it's very relevant to our work in security, but I want to hear from you first. Yeah. Yeah. So as you know, my job is super fun and I love it. And it's a really interesting position to be in. Right. Like I get to talk to so many people. I mean, I'm talking to vendors from this.
stealth startup that nobody's heard of yet all the way to, you know, the big mature companies. I talk to end user organizations as, you know, huge enterprises that are dealing with these problems. I get to talk.
to practitioners i go to events so and and i i consume a ton of information so i'm kind of like look at myself as this like sieve right that is just like pulling in all of these different perspectives and trying to make sense of what's going on it's a lot of thread connecting and then my job is to kind of like how do i regurgitate that back out in a way that not only makes sense for folks of really wide-ranging levels of depth in technology, and also that in a way that resonates.
To me, I think it's really important to be able to tell, you know, a real story that that. It has sufficient like technical depth, but at the same time, it elevates it to a level where like anybody can kind of understand the problem space. And I use a good example here of.
The software supply chain. Right. And I I'm pretty opinionated on this topic and have been since I started my research there in that I think as an industry, we over rotate on the open source aspects of the software supply chain. I look at it very. And so to communicate this, I built this slide that I have reused over and over and over again. And it's just like I built a little diagram of a Cheerios factory and I.
try to translate that into what the aspects of the software supply chain are of like, you know, the, the nuts and the wheat and like, that's your open source, right. Or third party dependencies that are coming in, but you still have all of these other. points and things that touch that cereal as it moves through the process before it gets delivered to the shelves. And that whole thing is the software supply chain. And it allows me to lean into these, I think, more nuanced concepts like... Um,
developer access and identity governance, I think, and SDLC, sort of that whole non-human identity, machine identity space. I think that's a significant part of the software supply chain. And a lot of folks don't talk about that because if you look at most...
software supply chain attacks, there's an identity aspect to it. There's a secret, there's a developer that was phished, you know, something like that. And then you have the machines, right? The machines that are making the serial are your CI, CD tools, your build.
machines, those kinds of things. And it's packaged and put on trucks and deployed to the shelves. And then you need to monitor it when it's on the shelf, right? First in, first out, make sure sale products, you know, cereal is not going out as well as that, you know, your running app is not drifting.
from known good so there's a lot of parallels when you try to understand it and so to me I'm like speaking in storytelling trying to make these technical concepts more understandable, I think are, you know, really an important part of my role as I'm talking to such a really wide ranging audience of people.
Yeah, I think it's absolutely spot on. And it's also critical in security, like I was saying, is, you know, whether you're communicating with the board, your C-suite peers in different areas of the organization, you know, broader business organization peers who don't really understand security. And we come in with, you know, CS.
ASPM, CAV, CP, you know, all these acronyms, right? It's like you need to communicate in a way that they can understand it, make it accessible, build rapport, build empathy, you know, empathy based on their role and what their incentives are and what.
they're prioritizing and why they're prioritizing it within the organization. And so, yeah, incredibly well said. And I got to say, you know, you mentioned that you just got into this about three years ago coming from, you know, kind of a research background, a data background. You're articulating these issues incredibly well for someone who didn't kind of come up in traditional security. So I mean that. I appreciate that.
Truly impressed. And so I'm curious, you know, for folks that want to learn more, you know, from you, from IDC, where can they go? What are some big events that you have on your radar coming, you know, coming up? Where can they learn more? Yeah, sure. Yeah, absolutely. LinkedIn is obviously the easiest way to connect to me. I, you know, please add me, follow me. I do post fairly frequently. And, you know, as with most analyst firms, a lot of my research is behind a paywall.
But I try to share what I can out in the open and comment on things within LinkedIn and share. what research I can. I'm always happy to take a briefing from a vendor that no matter what your size. And so, so please reach out to me if. You've never talked with me before and want to show me what it is that you're doing in AppSec. And same goes to end user organizations too. I love to hear about your problems.
you know, and help you work through it with the knowledge that I have. I'll be at RSA in person. It's probably my next big... vendor neutral event. I usually do RSA, Black Hat, looking into even maybe OWASP Global this year and try to get out there. interact with as many, many folks as I can. In person's always a lot better than the Zoom box around our heads. So yeah, please reach out. I'm happy to connect and would love to chat.
Awesome. Like she said, you can find her on LinkedIn. I often find some of her insights there. Check her out some of the events that are coming up. And Katie, thanks so much for jumping on and having these conversations. I'm looking forward to your research this year on ASPM. AI applications, platform engineering, all the things we kind of talked about. And so thanks so much for joining me. Thanks to everyone who tuned in as well. Yeah. Thanks everyone.