Top 4 application security trends that can’t be ignored
Web applications and APIs are the primary means by which a company interacts with its customers. This makes application security a top-of-mind concern for all companies. In addition, the consistent rise in common vulnerabilities in web interface applications and the need to secure them against evolving cyber threats has assumed a critical role in organizations’ application security strategy. According to the SISA Top 5 Forensic-driven Learnings report, lack of application security causes 27% of breaches whilst contributing to 46% of them. Importantly, the initial access into the environment via a web-based application exploit is seen to occur mainly in the UAT environment and/or other non-critical virtual local area networks (VLANs), thus underscoring the importance of implementing a robust application security program.
Over the last 3-5 years, there has been a marked cultural shift, with application security becoming a strategic initiative that spans departments, rather than being a point-in-time activity. Several factors are driving the rethinking of AppSec as a wider strategic program. These include the evolving threat landscape, the adoption of nimbler software development frameworks such as Agile and DevOps, and recent trends in things becoming deliverable-as-code, as with infrastructure-as-code and security-as-code. While these factors will continue to evolve and expand, the application security landscape will see new and emerging trends such as integration of security tools with DevOps, adoption of security automation, use of threat modelling and a shift to a design-led approach. The key trends expected to shape the AppSec landscape are discussed below.
Increasing adoption of security tools in CI/CD
The widespread adoption of DevOps practices and cloud platforms is gradually leading to integration of security capabilities across the development cycle, all the way from feature design to deployment. Several solutions providers now offer a new generation of AppSec tools built with CI/CD integration in mind. These modern tools enable scanning activities to shift left in the development lifecycle. Besides, some of the traditional and popular software development platforms such as Github, Gitlab, etc. are releasing security capabilities aimed at strengthening the application security tooling ecosystem. As the shift-left approach continues to intensify, application security will likely become a core part of automated development workflows, led by integration of automated security testing into CI/CD pipelines. This will also see security guardrails being built into the CI/CD pipelines, that focus on requirements and best practices as against the traditional approach of manual testing, stage-wise assessment and approvals.
Integration of SAST and DAST
Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) complement each other, but because DAST is applied to an application’s functionality, it is often applied during the production phase of development. With DevSecOps assuming a critical role, SAST and DAST will become integrated into Interactive Application Security Testing (IAST), which analyses software code for security vulnerabilities and interactively tests the application while running. This is expected to boost security, as it covers the assessment of the codes and the running states of the application, providing optimum security to the software. Additionally, IAST will also help strengthen security of APIs by letting organizations look at both static and runtime vulnerabilities much earlier in the lifecycle. DAST will also evolve and assume a larger role as a risk assessment tool, rather than just a vulnerability detection tool while also shifting left and being orchestrated in the CI/CD pipelines.
The rise in security automation
Given the scale and pace of modern software development, security automation continues to gain increasing importance. Tooling needs to be smart, and manual assessment needs to be targeted to the places where effective automated tooling does not yet exist. With incremental development methodologies becoming the new norm, security testing has gone from a monolithic penetration test every year, or before each new major release, to become an intrinsic part of the development of each new feature or update. Modern security automation means that security testing is happening throughout the development cycle: from linting in the Integrated Development Environment (IDE) and static code analysis to dynamic code testing, as well as automated ways to deploy containers and virtual environments. The adoption of automated security testing that includes open-source components is only expected to accelerate with tools such as RPA, SOAR and XDR enabling organizations to automate workflows, threat hunting and incident response.
Importance of threat modelling
The role of threat modelling in application security is still taking shape. The idea is one that security experts can universally get on board with: identifying and understanding the potential threats against a product, figuring out how to mitigate those threats, and then validating and adjusting the model and mitigations as necessary. In modern incremental software development, thread modeling is relevant throughout the lifecycle, since each new feature or update can influence the threat model. However, security experts need to arrive at a consensus on how best to do it, including how much needs to be done manually or through tools. As volume and complexity of applications are set to rise, security teams will shift from the traditional whiteboarding approach to embrace automated threat modeling for real-time monitoring and analysis, at scale. Newer solutions and tools that support customization of components, frameworks and templates will find their way into the workflows. These will play an important role in guiding the choices of algorithms, frameworks, libraries, authentication, and cryptography for identifying and mitigating threats.
Conclusion and best practices
Application security is racing to keep pace with an application development environment fuelled by DevOps. Legacy approaches to application security testing suffer from being point-in-time and are based on production testing or large-scale code scanning projects. The issue with this approach is the inability to keep pace with the frequency of changes in the development and update of an application. With DevSecOps and secure-by-design set to become the de facto approach, organizations must craft a robust AppSec program that offers end-to-end visibility, automates security controls, and drives security ownership. One of the best practices is to have a management program for identifying vulnerabilities not just in OS, but in all applications (including Adobe, MS Word, Excel, etc.) deployed within the network, web applications, mobile applications, APIs, libraries, and platform environment. Additionally, performing fortnightly or monthly application penetration testing and vulnerability assessment scans is ideal. This can help organizations to proactively identify threats and remediate them.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.