When Conviso was founded in 2008, secure software development was then a very undercovered topic. Back then, when the subject was software development, the focus was still on IT infrastructure. The Application Security market in Brazil was on its very, very early stages.
It was the beginning of what we now know as cloud computing, in which the big cloud providers started to widely offer the infrastructure on demand model, making the acquisition of a series of physical computing products look exaggerated and obsolete. This process was spearheaded by the major cloud providers: AWS, Google, IBM, Microsoft.
And it was in the midst of this scenario that business managers became more concerned with application development. It was the process of Digital Transformation happening at a much faster pace.
A new scenario
With this so-called new scenario, digital security had to change as well. After all, with the maturity of cloud security controls, cybercrime began to focus more on web and mobile applications, which now represent a much larger – and still very vulnerable – attack surface.
An era then arose with new attack techniques – and with even more disastrous results. The market started to witness cases of leaks of hundreds of millions of records – all exposed by software failures. That’s when the big players started to realize that AppSec should be taken seriously.
That is why we always emphasize that the history of Conviso intersects with the history of Application Security in Brazil. After all, we have not only been witnessing, but we have also been actively participating in the research and development of this area that – although so important – is still so neglected in Brazil.
In a podcast about the history of AppSec in Brazil (in Portuguese), our CEO Wagner Elias told us what the AppSec market was like when Conviso started: “There wasn’t much going on yet”. After all, the professionals were not yet focused on understanding what software development was like and how to bring security to these teams. “We Brazilians consume a lot of things from abroad, there is this misconception that what comes from other countries is far better than what we can find in our own country. In addition, the AppSec culture in Brazil is still somewhat flawed. And there is also the factor of the difficulty with the language – a lot of the material regarding appsec is in English only – which means that we don’t have as many trained professionals as we would like to”.
Where can we find examples of AppSec on a daily basis?
Although the term “application security” may seem new to people who do not work directly with technology, the truth is that applications today play an integral role. Both ordinary users and companies and various sectors of the government need them for work, business, studies, entertainment, sales, etc.
If you have already shopped online, made financial transactions on your computer, or even if you have taken classes on platforms over the internet, you will most likely depend on application security without even realizing it.
But what is the Brazilian AppSec market like nowadays?
In 2020, Conviso conducted a survey with companies from all over Brazil to understand how the AppSec market is currently doing. Professionals from the following sectors were interviewed:
- Telecommunications / Internet
- Health / Pharmaceuticals
The interviewees were mostly professionals linked to the companies’ information security sector, such as Security Managers (CSO / CISO), Development Managers, Technology Directors (C-Level), Developers, Architects / Software Engineers and Security Analysts.
51.6% of them stated that there is in their company a specific area of Application Security. 50% of them also reported that the companies that they work for have a specific Application Security budget.
When asked weather if DevOps is being implemented as a culture in their teams, 59% said yes.
However, only 12.5% claimed to think that their development teams have satisfactory knowledge of application security.
54.8% deal with vulnerability management by using specific tools for this.
Brazil is the most affected country by attacks on web applications
In 2020, we published an article on our blog with data by Statista that showed that Brazil was the most affected country by attacks on web applications in 2019. And this reflects a very strong cultural issue – that we overall only think about AppSec reactively, and not in a preventive way.
This problem became even more evident throughout 2020 when, in the midst of the pandemic, we learned about a series of news about vulnerabilities that exposed important data in the systems of Brazilian government institutions.
That is why at Conviso we always emphasize that there are no miracles: the way to ensure application security is primarily through cultural change. It is necessary to include security in a company’s daily routine.
And it’s not just leaders and managers at large companies that need to invest more in application security – a significant change in this scenario also requires a cultural change among IT professionals themselves.
An example: a programmer should also learn about security to be able to build applications that are secure from scratch. But convincing professionals that already work on really tight deadlines about it is a great challenge.
The biggest difficulty today is to change the culture of companies to build secure applications instead of investing only in security tests. And this transformation must come from the software development teams.