Thanks for this great article. I think this gap isn't talked about enough - the juggling and ultra wide scope defines our profession, but I am not sure if it's sustainable.
I especially liked the diagram where you show the tool types in the market and the parts where we struggle. Alas I fear that such products won't be made as they "won't scale" (so no funding) as you really need to tailor them to the particular company environment (processes, risk appetite, etc.). Hope to be proven wrong.
You've hit the mark here on the human dimension of sustainability for us as practitioners. When tools don't integrate well or require extensive customization, they are creating technical debt and practitioner burnout by forcing individuals to become the human integration layer.
I am cautiously optimistic that we might see some movement here where vendors stand out with their "configuration over customization" approach or as we see practitioner buying power increasing (practitioners who refuse to adopt tools that don't fit their workflows are becoming a forcing function for better products, especially as teams realize that tool abandonment is more costly than initial vendor selection).
When I was searching for an “ASPM” solution I found it very hard to find something that came even close to matching our needs although I checked about 30 vendors. It all sounds good in theory, but rarely fitted your reality. And it gets worse when AppSec practitioners fall for the shiny generic promises of those vendors without understanding their own developers reality and needs first.
Well phrased. A lot of the times the pilot phase for the vendor product looks promising and issues crop up when operationalizing the tools to truly unlock the value for the organization.
Yes, I had to learn it the hard way. Had to replace my first tool after two years because they didn’t want to build the essential feature I (or better said, my dev teams) needed and I just had their word, nothing in contract. I knew I had to replace it, but finding something better was even harder, now knowing what I was searching for in more detail.
Thanks for this great article. I think this gap isn't talked about enough - the juggling and ultra wide scope defines our profession, but I am not sure if it's sustainable.
I especially liked the diagram where you show the tool types in the market and the parts where we struggle. Alas I fear that such products won't be made as they "won't scale" (so no funding) as you really need to tailor them to the particular company environment (processes, risk appetite, etc.). Hope to be proven wrong.
Miloslav, 100%.
You've hit the mark here on the human dimension of sustainability for us as practitioners. When tools don't integrate well or require extensive customization, they are creating technical debt and practitioner burnout by forcing individuals to become the human integration layer.
I am cautiously optimistic that we might see some movement here where vendors stand out with their "configuration over customization" approach or as we see practitioner buying power increasing (practitioners who refuse to adopt tools that don't fit their workflows are becoming a forcing function for better products, especially as teams realize that tool abandonment is more costly than initial vendor selection).
When I was searching for an “ASPM” solution I found it very hard to find something that came even close to matching our needs although I checked about 30 vendors. It all sounds good in theory, but rarely fitted your reality. And it gets worse when AppSec practitioners fall for the shiny generic promises of those vendors without understanding their own developers reality and needs first.
Well phrased. A lot of the times the pilot phase for the vendor product looks promising and issues crop up when operationalizing the tools to truly unlock the value for the organization.
Yes, I had to learn it the hard way. Had to replace my first tool after two years because they didn’t want to build the essential feature I (or better said, my dev teams) needed and I just had their word, nothing in contract. I knew I had to replace it, but finding something better was even harder, now knowing what I was searching for in more detail.