Software dominates the world and remains a big and accessible attack surface. In 2022, an estimated $6B was invested in Application Security, with that number expected to reach $7.5B in 2023. Within AppSec, software supply chain security entered the spotlight two years ago and represents AppSec’s fastest growing attack category with major headlines of breaches and exploits happening on a regular basis.
Within this backdrop, a few related mega trends are apparent for the near future of Application Security. First is the growing complexity of development pipelines and dependencies on third-parties in pre-production development environments. Second is the growing synergy between application security and cloud security. Both trends define future security challenges and our predictions for modern application security.
1. Cloud Security and Application Security will Begin Converging Together
The security posture of an application that runs in the cloud is primarily determined by the cloud configuration and the application code. For some years – cloud security and application security ran as separate security concerns. However, the benefit of looking at them together is becoming clear:
- Unified Posture: Application risk is a combination of the cloud and the application security posture. For instance – both application code vulnerabilities and misconfigurations of the cloud service that hosts the application are foundational in determining the attack surface. They are inseparable and should be analyzed and prioritized together.
- Context: Prioritizing vulnerability remediation is driven both by cloud and application context. For example, a vulnerability in the code that is exposed by an internet-facing service may be more critical to fix than an unreachable code vulnerability in an internal service. There are many opportunities to know which vulnerabilities are most business-critical when you have both application and cloud context.
- Remediation: There are opportunities to trace vulnerabilities found in runtime back to code changes and owners in the pre-production development environment. Linking the entire chain together – from code to cloud – helps quickly determine the root cause of a problem, fix it more efficiently, and in some cases automatically.
A shift in security mindset is coming to combine cloud security and application security together. Security solutions will continue to converge, and this will provide opportunities for organizations to merge the responsibilities of AppSec and Cloud Security engineers as well for greater efficiency and effectiveness.
2. Tighter Security Around Open-Source Software
It is nearly impossible to release software without hundreds (or more) third party components. However, the open-source ecosystem is under constant attack with countless attempts to manipulate open-source libraries and components through hidden code insertions, typo-squatting, and several other techniques.
To keep up with these continual cybercriminal innovations, new initiatives are underway to introduce additional security controls into the open-source ecosystem. We expect to see:
- Increased demand for open-source validation in software development shops – which includes reputation check, authenticity check and constant vulnerability scanning.
- Open-source repositories (e.g. NPM) will demand higher security standards from uploaded software to enforce stronger controls for organizations to check, beginning with code signing.
- More third parties will include an Software Bill of Material (SBOM) that can be validated prior to consumption.
The increasing availability of security metrics for software, along with more versatile toolsets to verify software consumption in the SDLC and prior to deployment will become more common.
3. The Code Factory Attack Surface Will Keep Expanding
There has been a huge increase in attacks (460-660% annual growth according to some sources) targeting developers, code, or build systems, the increase is huge. Recent incidents include OKTA having their source code stolen, the Toyota breach which started with a contracting service exposing sensitive secrets through source code, the massive LastPass breach that started with a compromised developer, and many more.
The SDLC continues to grow as an attack surface because of our modern approach to build software: distributed workforce, multiple systems and plugins, utilization of many access keys, tokens, machine accounts and automations. None of this is changing anytime soon, other than getting more complex, heterogenious and distributed.
At Legit Security, we discover first-hand the immense diversity and scope of vulnerabilities found in prospective customer environments when we run Proof-of-Value (PoV) projects. The majority of security issues we discover and mitigate are the result of honest mistakes or gaps in security knowledge. For instance, we continuously discover rogue build servers and artifact storage, either legacy or spawned quickly by fast-moving dev teams, which are wide open and contain sensitive source code and passwords.
The pre-production development attack surface is too broad, too vulnerable, and too target rich today. Unfortunately, we predict many more incidents to come in 2023 involving software supply chain exploits – from malicious tampering, to code theft, to sensitive data exposure from dev systems, and more.
4. Secure Software Compliance and SBOM
Post the SolarWinds attack, the U.S. government has set in motion requirements for suppliers to include a signed SBOM as well as to be audited for the Secure Software Development Framework (SSDF). In 2023 we are expected to see:
- Growth in the request for SBOMs when software is delivered and not just to U.S. government consumers. More and more buyers will require an SBOM from their software vendors, and more vendors will make an SBOM available for download.
- Enterprises will be looking to implement code-signing and attestation generation in their pipelines to fulfill the integrity requirements of SSDF.
- B2B security assessments will require more evidence of secure development practices and will demand proof for security guardrails, controls, and automated vulnerability scanning.
5. Smarter Prioritization Through Security Issue Context
There’s a paradox – Security and Dev teams using modern development stacks suffer from “vulnerability fatigue”. The number of security issues is intolerable and the noise they generate distracts and slows down teams as they attempt to triage and/or fix everything. For example, when an average container image produces hundreds of vulnerabilities right out of the box – what should you do, practically speaking?
More often than not, Security teams are faced with an impossible choice. The availability and power of vulnerability scanners and the security knowledge in the community is huge (which is an amazing thing) – but it is unanimously agreed that prioritization is a nightmare. The term “CVSS is dead” is being echoed a lot lately.
Teams are looking for smarter ways to prioritize. There is a growing demand for smarter security posture management – and this can be done by having a more holistic risk approach that relies on the application context. Thus, we see a strong case for a “code-to-cloud” security approach to address this - being able to understand the exact anatomy of an app and link code risk with its runtime (cloud) characteristics. This provides great opportunities for meaningful prioritization focus.
For example, the first question that a security engineer can ask herself when seeing a security issue is – “is this thing exploitable?”, or “is this exposed externally?”, or even “where is this code running and is this part of a business-critical app that handles sensitive data?”. We will see more teams and more security solutions change the way they look at vulnerabilities and how teams choose to focus on issues and de-prioritize others.
6. Cultural Change: Executive Demand for Application Release Governance
It's a fact that applications still get released with vulnerabilities. Organizations are starting to realize the problem is not with an ability to detect vulnerabilities, but rather the ability to operationalize a secure and efficient end-to-end release process.
Modern approaches call for more developer involvement, including a “Security Champion” program, and shifting left to include more automated security scans. At the end of the day, Security and Development teams remain accountable for a secure release, and they are faced with a broader challenge now: how to build a secure application development pipeline.
The pressure to do so is already starting to come from the top down. C-level demands are increasing to demonstrate an efficient release process that guarantees that each software deployment is secure. We call this need “release governance”.
Security teams will be looking for ways to:
- Define a holistic release policy taking into account application context.
- Build a remediation workflow within the pipeline.
- Have real-time visibility into the coverage and effectiveness of a secure pre-production development environment, with ability to trace ownership, provide risk reporting, and tune.
We predict that this more holistic application security paradigm will become dominant over time. Security teams will drive more automations and Dev collaboration, but Security's new priority will be to get visibility and control into the process to guarantee a safe application release – with strong emphasis on reporting and accountability across teams.
Future of Modern AppSec – Never a Dull Moment
Application Security is a cat-and-mouse game rife with rapid change, innovative new attacks and exploits, and continually evolving security solutions. Some larger trends are underway that will permanently change this dynamic landscape.
Application Security and Cloud Security will come closer together. Security of third-party software will level up to include trust mechanisms for consumers. And a larger shift is underway in the way security vulnerabilities will be handled – first by leveraging contextual risk based on code-to-cloud traceability, and second by shifting focus from triaging problems to having true release governance.
On May 5, 2023, Gartner published an Innovation Insights Report showcasing a new area of focus in application security called Application Security Posture Management (ASPM), which plays a crucial role in safeguarding against vulnerabilities and maintaining a robust security framework. ASPM solutions empower organizations to analyze trends, evaluate security coverage, and assign contextual risk scores to each application release. By adopting ASPM solutions, businesses can proactively identify and address vulnerabilities, stay ahead of emerging threats, and protect their valuable applications and data. Gartner predicts that ASPM will see growth between 5% and 40% within the next three years, and this year will be the starting point for this major evolution in Application Security. ASPM will play a growing and critical role in maintaining a robust security framework for organizations.
We benefit from a world that runs on software, and the security of this software is crucial for all of us. The Legit Security Platform is here to help usher in this more secure future. Here’s to the future of modern AppSec to ensure a safe and secure world.