Attacks on applications aren’t going away. In fact, there was a 40 percent increase in attacks from August to September of this year. Enterprises must remain diligent, learning about the latest application security trends and developments.
We dig into five AppSec trends that are becoming staples on many application security plans, so you can decide which ones you need to adopt for better application security.
Five Application Security trends you need to know about
The arrival of a legitimate DevSecOps approach
Most of us are familiar with DevOps and DevSecOps. In fact, we have written about both approaches in the past.
As a quick refresher, DevOps combines the development and operations aspects of software and application development. These two groups collaborate to support the increased frequency of application updates that comes with the Agile development methodology. It didn’t take long before it became apparent that security needed to be added into this equation—rapid releases need to be secure to avoid exposing an application to attack.
The DevSecOps approach integrates security team efforts with development team efforts, making security an equally important part of the design and development process. Unfortunately, in many cases, DevSecOps was only paid lip service, with security still not being given the full attention it deserves.
We are finally starting to see this change. More teams are building security into the entire Software Development Life Cycle (SDLC). Organizations are integrating application security testing into all phases of development. Issues are identified and remediated faster, saving time and money and reducing the risk of deploying an insecure application.
Some of the application security tools used by organizations can even be integrated into the Continuous Integration / Continuous Deployment (CI/CD) environment. Applications can be scanned for vulnerabilities with every patch and release. Burp Suite is an example of such a tool.
All organizations should consciously make the move towards a true DevSecOps approach, integrating both security teams and tools into all phases of design and development.
A larger role for developers in AppSec
A natural result of the move to a true DevSecOps approach is a greater involvement of developers in the application security process. In the past, developers would perform their work and security team members would run scans, review results, and flag issues.
Now, developers are getting more involved, since fixing an application vulnerability earlier in the development process supports the Agile approach and saves time and money.
One of the ways this is being done is with an application vulnerability management tool that integrates with developers’ preferred working environment, such as Eclipse. Developers can stay within their application of choice while reviewing and addressing security issues. This type of tool makes developers part of the security team and makes it easy for them to focus on remediation.
Security training for developers
Another result of building security into the development process is formal security training for developers. Education includes:
- How to build secure code
- Best practices for a successful application security strategy
- Training on how to use the AppSec tools deployed in the enterprise
Training teaches developers the importance of security and helps reduce the occurrence of vulnerabilities from the start. When developers truly understand why AppSec is important, and know how to use tools to remediate issues quickly and efficiently, the entire AppSec process benefits.
The rise of vulnerability prioritization
As developers become more active in remediation, they need to know which issues should be addressed first. This makes vulnerability prioritization critically important.
AppSec tools deliver a long list of results. To stay agile, you need to be able to weed out duplicates and determine which threats pose the biggest risk.
An application vulnerability manager takes care of de-duplication and produces a single report displaying results from your AppSec tools. Some application vulnerability managers offer Hybrid Analysis Mapping (HAM), cross-referencing results from Static Application Security Testing (SAST) tools and Dynamic Application Security Testing (DAST) tools.
SAST tools identify potential vulnerabilities, while DAST tools discover vulnerabilities that are actually exploitable. Cross-referencing results gives you a list of the threats that actually pose a risk to your application, so you know which ones should be addressed first.
Increased spending on newer AppSec testing technologies
Forrester predicts that spending on application security tools will grow more than 16 percent annually. Forrester also expects the biggest growth in spending to be focused on the newer AppSec testing technologies, such as Interactive Application Security Testing (IAST) tools, Software Composition Analysis (SCA) tools, and bot management.
IAST tools combine the benefits of SAST and DAST tools by using information inside the application to identify vulnerabilities while the application is running. SCA tools analyze third-party source code, libraries, and frameworks used in your application to identify security vulnerabilities and licensing issues. Bot management is the identification of whether a request on an application comes from a human or a bot. The software attempts to differentiate between “good” and “bad” bots and blocks the “bad” bots from accessing the application.
While the older, more traditional tools (SAST and DAST) are not going away, organizations are planning to spend more money on the newer technologies to further bolster their application security strategy. As we have mentioned in the past, it takes a combination of testing tools to achieve comprehensive application security, so we are not surprised by this increase in the types of tools employed.