Back to Feed

Hey, AppSec, leave those developers alone!

Shahar Man

-

March 26, 2024

At the heart of our mission at Backslash is a deliberate focus on Application Security (AppSec) professional teams, a strategic choice that goes beyond simply shifting left the responsibility to the developers. We are driven by the belief that empowered security teams should lead the security policies for development based on facts and accuracy.

These days, with new technology breakthroughs, vendors must ensure that security measures do not hinder the creative process of developing innovative software. Context-switching for developers, particularly due to false alarms, diminishes productivity and gradually erodes trust. Therefore, identifying risks and setting security priorities should be the responsibility of the security teams, allowing developers to focus on innovation without unnecessary interruptions

Developers are crafting beautiful features and functionalities that drive progress. Their expertise lies in turning complex problems into elegant solutions, a task that requires a deep focus on creativity and efficiency. However, security presents a different challenge that requires a specialized approach to identify, analyze, and mitigate risks.

Thank you guys for shifting left…Security, Quality, and everything else, now "I can really develop fast and meet my feature deadline"….

Security: A Specialized Mindset

At Backslash, we argue that expecting developers to shoulder the burden of security in addition to their primary responsibilities dilutes their focus and undermines the effectiveness of security measures. Security is a specialized mindset, one that demands a deep understanding of the evolving threat landscape, and the ability to anticipate and counteract sophisticated attacks. 

Bridging the Gap 

Historically, the tools designed for developers have aimed to highlight every possible vulnerability, regardless of its context, exploitability, reachability, or criticality. This approach often results in a flood of information that overwhelms developers and leads to prioritization challenges. It's like searching for a needle in a haystack, where the real threats to an organization's security are buried under a mountain of potential vulnerabilities.

We at Backslash believe in a different approach. Our focus is on developing a solution that first and foremost serve the needs of AppSec professionals and CISOs, providing them with clear visibility into the vulnerabilities that truly pose a risk to their organization. By filtering out the noise and focusing on critical issues, this approach allows security teams to:

1. Short-list a manageable amount of real findings baked on attack-path rationale.

2. Provide crisp evidence in a developer-friendly language.

3. Reduce endless triaging time and effectively communicate with development teams 

4. Reclaim the AppSec team professional credibility, and stop chasing vulnerabilities lists like program managers. 

The Funnel of Trust

Our vision extends beyond just creating effective tools; it's about building trust and collaboration between AppSec teams and developers. By integrating our security solutions directly with developer tools, we create a "funnel of trust" where developers are presented with actionable, high-quality security insights. This approach not only streamlines the remediation process but also restores developers' faith in security tools, encouraging a more collaborative and proactive security posture.

Adapting to the Age of AI

If you don’t think the problem is severe enough today, consider how Michael G. Scott, a character from the TV show 'The Office,' titled his book: 'Somehow I Manage.' AI is set to take these figures to the extreme.

As artificial intelligence (AI) begins to play an increasingly prominent role in code generation, the distinction between our approach and the traditional developer-centric model becomes even more critical. If we continue to place the entire burden of security on developers, they may find themselves trapped in an endless cycle of fixes, leaving little room for innovation. By empowering AppSec teams with the tools to identify and prioritize critical vulnerabilities, we ensure that developers can focus on what they do best: creating innovative software.

Disrupting the pricing model – This is why we don’t price per developer

At Backslash, our commitment to this approach is reflected in every aspect of our operations, from the design of our tools to our pricing model. We choose to focus on application-centered pricing rather than developer-centered pricing, underscoring our belief in supporting the AppSec community.

In conclusion, our decision to focus on AppSec over developers is driven by a deep belief in the specialized nature of security and the importance of collaboration between security experts and developers. By providing AppSec teams with the tools they need to identify and prioritize real threats, we aim to foster a more secure, innovative, and efficient software development ecosystem. At Backslash, we're not just building tools; we're building bridges.