BLOG | OFFICE OF THE CTO

State of App Strategy 2023: Security at your Service. Literally.

Lori MacVittie Miniatura
Lori MacVittie
Published March 29, 2023

There are two kinds of speed that security professionals struggle with. The first is related to performance, and balancing the need to respond quickly to requests with the need to protect both users and corporate assets from exploitation. This struggle is primarily one of risk management. As we discovered last year in our annual research, a plurality of organizations are, in fact, willing to sacrifice security for some defined improvement in performance. 

But there is another kind of speed that security professionals—along with the businesses they serve—struggle with. That is, the speed to address emerging threats. You know, zero-day exploits of vulnerabilities. DDoS attacks targeting networks, applications, and APIs that appear out of nowhere. 

We know from other industry research that when it comes to patching vulnerabilities there is a significant gap between discovery and closure that leaves businesses vulnerable to attack. We also know that pushing the right policies to address DDoS attacks to the right systems and services can also take time that, in the world of digital business, costs real money. 

So it was not really a surprise when we asked respondents to our State of Application Strategy 2023 survey about the reasons they’re adopting Security as a Service (SECaaS). 

Overwhelmingly the answer was “speed.” 

This need for speed is affecting the decisions about where to deploy workloads. For the first time in our nine-year history of conducting this research, we saw security services deployed off-premises (36%) at a slightly higher rate than on-premises (35%). No other category of app delivery services is even close to parity. But security? Security is being deployed in the public cloud and as a service in increasing numbers. 

And when we looked at the types of workloads respondents planned to deploy at the edge, it is probably no surprise that those planning to deploy security service workloads tagged “speed to address emerging threats” as the top reason for adopting SECaaS.

Now, none of this should be a surprise. One of the operational benefits of adopting SECaaS—whether traditional or at the edge—is the speed with which providers can address emerging threats. But it’s also good for performance. Moving security services closer to the user—which includes bad actors who pretend to be users—means detecting and neutralizing threats sooner, which prevents them from overwhelming target apps, APIs, and services. 

And as readers are aware, operational axiom number two states that “as load increases performance decreases.” So, if any service or system in the critical path—between the user and the app/API—is suddenly overwhelmed by an attack, its load increases as it tries to address it. As load increases… performance decreases. 

By pushing the responsibility to detect and neutralize attacks at the edge, businesses are effectively gaining both “speed” benefits—that of response time to emerging attacks and real-time performance of apps and APIs. 

Now, it’s also true that not every security function is a good fit for “as a service” or at the edge. But when it comes to protections like DDoS and WAAP, it’s absolutely true that “as a service” and at the edge are good options to optimize for both kinds of speed—operational and runtime. That’s one of the reasons it’s increasingly important that the design of a digital service includes both app delivery and security considerations at design time

One of the ways organizations are doing that is by adopting a platform approach to security. I won’t spoil our findings around that topic by diving in here, but you can read about them in our 2023 State of Application Strategy Report.

Stay safe out there.