Last Updated on January 14, 2024
The largest subset of products and solutions exhibited at the recent RSA Conference (RSAC) 2023 in San Francisco were application security (AppSec) tools, especially around API security. One person I talked to said he had counted 39 pure-play API security vendors at the conference, which I found amazing—and encouraging. “Shifting security left” to the initial phases of the software development lifecycle (SDLC) is clearly on the rise in our industry. And it’s not a moment too soon.
Security automation
The ongoing global shortage of competent cybersecurity professionals continues, with something like 3.4 million unfilled positions. Given that situation, the ability to automate security tasks, whether for application security or in other areas of cybersecurity, could be a huge benefit.
If we can use “intelligent” technology to manage or augment our cybersecurity and/or compliance programs, we stand a better chance of overcoming budget and skills challenges to improve security outcomes. This was a major theme at RSAC that certainly will continue to build momentum given market forces.
90-Day TLS Certificates are coming
Another wakeup call for me at RSAC 2023 is that 90-day TLS/SSL certificates are coming. Google recently announced that it plans to reduce the maximum validity for public TLS certificates from 398 days to 90 days, probably before the end of 2024.
According to Google, shorter certificate lifetimes better protect internet users by decreasing the potential impact of compromised keys, while at the same time accelerating the replacement of insecure systems. By making its intentions clear in advance, Google is giving certificate users more time to prepare for this transition and its implications for managing certificates.
Automated certificate lifecycle management solutions are sure to grow in importance, as manually renewing and deploying certificates across all systems not just once per year but four times per year would be unacceptably burdensome. Companies will also need to reverify their domains every 90 days. Any org that relies on its website for revenue or supports a SaaS application will surely be taking notice of this change.
What’s next?
For more insights on this topic, tune in to Episode 117 of The Virtual CISO Podcast, featuring Pivot Point Security CISO and Managing Partner, John Verry.