5 AppSec Predictions for 2023

by GuardRails on March 3, 2023

Several application security (AppSec) trends have already started to emerge in 2023 and enterprise IT leaders must take note. The impact these trends will have on existing software development lifecycles is profound and require significant forethought to achieve. Let’s go over the five critical shifts in AppSec attitudes, processes, and threats forecasted for 2023.

Maturing of corporate AppSec programs

For many enterprises, AppSec is nothing more than a set of loosely applied processes and tools to protect against application data loss/theft and infrastructure intrusions. In 2023, look for organizations to tighten and fine-tune their AppSec processes so they adhere more closely to a well-defined, best-practice framework.

The reason for this movement to a more static and precise framework is simple; businesses are monitoring the news and are seeing the continued uptick in application breaches that often result in lost data, decreased customer confidence, and negative public relations. Bolstering AppSec processes that adhere to best-practice guidelines is a way to ensure their company isn’t the next unlucky victim portrayed in the media.

Supply chain attacks will continue to cause headaches if not properly addressed

Because of the way modern applications are remotely patched and integrated with external databases and users, supply chain risks will continue to be problematic for the foreseeable future. If software development teams succumb to a breach, threat actors can potentially access software source code and embed mechanisms to create backdoors or distribute malware to application users by way of software updates/patches.

One of the most highly publicized supply chain attacks to date impacted SolarWinds infrastructure monitoring products. This occurred when malicious actors breached SolarWinds corporate IT security systems and modified patch updates, weaponizing it to gain backdoor access into thousands of government and private entities that relied on SolarWinds software.

This high-profile example highlights the risk that organizations take when depending on third-party software vendors. It also points to why further security checks within the software development lifecycle process are so important these days. If properly deployed and managed, DevSecOps tools can detect these types of malicious code additions long before being released as patch updates to unsuspecting customers.

Impending recession concerns are forcing businesses to place more focus on workflow automation and efficiency gains

Several global indicators are beginning to show that a recession may be upon us. Emerging recession signs include widespread layoffs/hiring freezes, a significant rise in energy costs, and the slowing of home and auto sales. The questionable strength of the global economy is also expected to impact business IT operations including AppSec endeavors and priorities.

In this type of economy, expect organizations to look to AppSec processes to automate existing manual tasks and gain efficiencies where human interaction is typically required. This includes placing a priority on AppSec workflow automation processes such as the use of DevSecOps tools. The reason that DevSecOps platforms will be part of an AppSec efficiency effort is that it allows developers and security teams to focus on the automation of manually conducted security checks and resolution research – tasks that are notoriously time-consuming.

Consolidation of security tooling into centralized platforms

IT departments constantly struggle with supporting security tools and processes that often overlap with each other. An emerging trend in this space is to evaluate tools for effectiveness and whether new or existing tools can be consolidated.

Looking specifically at security for software development, expect IT departments to place extra emphasis on the use of DevSecOps tools that handle security tooling, scanning, and pipeline management across a range of supported programming languages.

Business domains will be mapped with security domains to help with prioritizing vulnerabilities

The number of software vulnerabilities in the wild is expanding at an unprecedented rate. As such, developers must work to better prioritize known vulnerabilities based on anticipated risk to their organization. Problems occur when manual processes are used in this prioritization process. A more efficient solution that can be automated is to map and track the criticality of applications and services from a business domain risk perspective. For example, a vulnerability found within a customer-facing payment processing system should be much higher on the priority list compared to a vulnerability found in an app that contains little to no sensitive data. By allowing security operations teams to add business context into the criticality of applications, systems, and repositories, it helps to better prioritize and triage the risk level of vulnerabilities so they can be addressed in a timely manner.

Expect business and IT leaders in 2023 to seek out tools that help improve vulnerability identification and prioritization with an emphasis on both speed and accuracy. From a DevOps standpoint, this includes the need to map or inject business risk context into vulnerability risk and prioritization tools.

Conclusion

For better or worse, these are the AppSec trends that are likely to be popular in the new year. With a clear emphasis on the creation of application security efficiencies, vulnerability accuracy, and the use of consolidated tools, business leaders will be looking for ways to reach their application security goals in the most cost-effective ways possible.