The Future of Application Security
At the beginning of 2020, digital transformation was already on the agenda of IT executives and organizations in all industries. However, when the pandemic hit, any plan of a slow and easy transition went out the window as IT and security professionals raced to secure and manage a completely remote workforce. Now, IT executives and organizations are instead thinking about:
- The need to integrate security into the development process
- The priority of a solutions-based program (rather than a tools-based one)
- The pipeline of security talent and
- The cultural transformation around security and IT teams.
Let’s take a closer look at these aspects that, I believe, will constitute the future of application security.
Even as digital transformation requires that software be built faster, application security is required during the entire process to understand and reduce software security risk. Aligning application security programs with the software development life cycle (SDLC) allows your development teams to research findings and address application security issues in a planned and systematic manner. According to recent research examining the state of application security, only five of our research team’s ten most common risk detections are represented in the OWASP Top 10. Research from the team also found that more than 40 percent of applications are actively leaking information and are at risk of exposing sensitive data, with apps in the manufacturing and health care sectors seeing the highest window of exposure (70% of manufacturing applications and 60% of health care applications have at least one serious vulnerability open over the previous 12 months).
In the future, we will continue to see an integration of security into DevOps. Successfully baking security into every step of the development process will be measured by how silent and seamless the security process can be – similar to performance testing, QA testing, functionality testing and so on. This is not only paramount in creating constant improvement and solutions-based processes, but it’s also the natural way development teams should run.
Another transformation we see within application security is in the way we approach security as a whole. There needs to be a servant leadership attitude in your AppSec teams. The future of AppSec is resting on professionals recognizing that there is an inherent risk sitting in production and offering themselves as helpers and partners in the development cycle. In the past, security teams were seen as gatekeepers, only coming in to give the red light or green light. However, in the future, we will find that the most successful teams, as mentioned above, are the most integrated; the ones where security teams are seen as collaborators rather than toll booths.
As a result of the pandemic, organizations have moved their communications and businesses entirely online. But even as we see teams heading back into the office this year, the digital-first model of conducting business will be – and should remain – the top priority. This will bring application security to the forefront of conversations between top decision makers in your company because without secure and properly functioning web and mobile applications, your organization will cease to exist. The CISO will be the vital connection between application security and business decisions, instead of AppSec staying siloed and within security teams’ walls. The threat landscape will only get more intelligent and complex in and beyond 2021, so bringing AppSec into the boardroom will ensure clarity and speed in getting the program up and running.
There’s a misconception that automation will decrease the need for highly skilled human security professionals. This couldn’t be further from the truth. With the current number of cybersecurity job openings totaling 3.5 million, the application security industry will only grow as automation increases. This is because, as automation becomes more heavily relied upon, consequences will undoubtedly include shallow assessments. In April, our security researchers examined broken access control, the third most prevalent vulnerability on the OWASP Top 10 list. They found that broken access control is primarily comprised of insufficient authorization and insufficient process validation issues, two issues that are difficult to detect using only automated scanners, and which are typically discovered using manual assessments. We will begin to see more companies beginning to partner with local colleges and educational institutions to cultivate and foster a healthy pipeline of human talent that will fill in a major skills and talent gap in our shift towards automation.
As consumers continue to face the effects of our digital reality and subsequent digital transformation, your application security teams and AppSec programs will become the “custodians of trust.” Last year, health care applications saw a dramatic rise in the window of exposure, growing from roughly 45% in previous years to 60%. Within the organization, it’s clear that there’s angst and concern on the executive side, as well, which ushers in the need for a reprioritization within the business and a focus on your most important digital assets. Too often we focus on what our priorities were at the beginning of the year, and if 2020 has proven anything, it’s the need to create adaptable workflows.
I would challenge those of us with decision making power to take inventory of these most critical assets. Whether you’re in the financial industry (collecting SSNs and personal payment information) or the health care industry (collecting patient records and prescription data), implementing a powerful application security program that cultivates innovation and growth will grossly improve your defense against complex attacks in the years to come.
