5 Things You Need to Know About Application Security in DevOps (Clone)
Application Security (AppSec) is the process of identifying, testing, and fixing security flaws in an application. It’s not so much about a singular...
5 min read
Liav Caspi
:
Jan 26, 2023 10:59:34 PM
Software dominates the world and remains a big and accessible attack surface. In 2022, an estimated $6B was invested in Application Security, with that number expected to reach $7.5B in 2023. Within AppSec, software supply chain security entered the spotlight two years ago and represents AppSec’s fastest growing attack category with major headlines of breaches and exploits happening on a regular basis.
Within this backdrop, a few related mega trends are apparent for the near future of Application Security. First is the growing complexity of development pipelines and dependencies on third-parties in pre-production development environments. Second is the growing synergy between application security and cloud security. Both trends define future security challenges and our predictions for modern application security.
The security posture of an application that runs in the cloud is primarily determined by the cloud configuration and the application code. For some years – cloud security and application security ran as separate security concerns. However, the benefit of looking at them together is becoming clear:
A shift in security mindset is coming to combine cloud security and application security together. Security solutions will continue to converge, and this will provide opportunities for organizations to merge the responsibilities of AppSec and Cloud Security engineers as well for greater efficiency and effectiveness.
It is nearly impossible to release software without hundreds (or more) third party components. However, the open-source ecosystem is under constant attack with countless attempts to manipulate open-source libraries and components through hidden code insertions, typo-squatting, and several other techniques.
To keep up with these continual cybercriminal innovations, new initiatives are underway to introduce additional security controls into the open-source ecosystem. We expect to see:
The increasing availability of security metrics for software, along with more versatile toolsets to verify software consumption in the SDLC and prior to deployment will become more common.
There has been a huge increase in attacks (460-660% annual growth according to some sources) targeting developers, code, or build systems, the increase is huge. Recent incidents include OKTA having their source code stolen, the Toyota breach which started with a contracting service exposing sensitive secrets through source code, the massive LastPass breach that started with a compromised developer, and many more.
The SDLC continues to grow as an attack surface because of our modern approach to build software: distributed workforce, multiple systems and plugins, utilization of many access keys, tokens, machine accounts and automations. None of this is changing anytime soon, other than getting more complex, heterogenious and distributed.
At Legit Security, we discover first-hand the immense diversity and scope of vulnerabilities found in prospective customer environments when we run Proof-of-Value (PoV) projects. The majority of security issues we discover and mitigate are the result of honest mistakes or gaps in security knowledge. For instance, we continuously discover rogue build servers and artifact storage, either legacy or spawned quickly by fast-moving dev teams, which are wide open and contain sensitive source code and passwords.
The pre-production development attack surface is too broad, too vulnerable, and too target rich today. Unfortunately, we predict many more incidents to come in 2023 involving software supply chain exploits – from malicious tampering, to code theft, to sensitive data exposure from dev systems, and more.
Post the SolarWinds attack, the U.S. government has set in motion requirements for suppliers to include a signed SBOM as well as to be audited for the Secure Software Development Framework (SSDF). In 2023 we are expected to see:
There’s a paradox – Security and Dev teams using modern development stacks suffer from “vulnerability fatigue”. The number of security issues is intolerable and the noise they generate distracts and slows down teams as they attempt to triage and/or fix everything. For example, when an average container image produces hundreds of vulnerabilities right out of the box – what should you do, practically speaking?
More often than not, Security teams are faced with an impossible choice. The availability and power of vulnerability scanners and the security knowledge in the community is huge (which is an amazing thing) – but it is unanimously agreed that prioritization is a nightmare. The term “CVSS is dead” is being echoed a lot lately.
Teams are looking for smarter ways to prioritize. There is a growing demand for smarter security posture management – and this can be done by having a more holistic risk approach that relies on the application context. Thus, we see a strong case for a “code-to-cloud” security approach to address this - being able to understand the exact anatomy of an app and link code risk with its runtime (cloud) characteristics. This provides great opportunities for meaningful prioritization focus.
For example, the first question that a security engineer can ask herself when seeing a security issue is – “is this thing exploitable?”, or “is this exposed externally?”, or even “where is this code running and is this part of a business-critical app that handles sensitive data?”. We will see more teams and more security solutions change the way they look at vulnerabilities and how teams choose to focus on issues and de-prioritize others.
It's a fact that applications still get released with vulnerabilities. Organizations are starting to realize the problem is not with an ability to detect vulnerabilities, but rather the ability to operationalize a secure and efficient end-to-end release process.
Modern approaches call for more developer involvement, including a “Security Champion” program, and shifting left to include more automated security scans. At the end of the day, Security and Development teams remain accountable for a secure release, and they are faced with a broader challenge now: how to build a secure application development pipeline.
The pressure to do so is already starting to come from the top down. C-level demands are increasing to demonstrate an efficient release process that guarantees that each software deployment is secure. We call this need “release governance”.
Security teams will be looking for ways to:
We predict that this more holistic application security paradigm will become dominant over time. Security teams will drive more automations and Dev collaboration, but Security's new priority will be to get visibility and control into the process to guarantee a safe application release – with strong emphasis on reporting and accountability across teams.
Application Security is a cat-and-mouse game rife with rapid change, innovative new attacks and exploits, and continually evolving security solutions. Some larger trends are underway that will permanently change this dynamic landscape.
Application Security and Cloud Security will come closer together. Security of third-party software will level up to include trust mechanisms for consumers. And a larger shift is underway in the way security vulnerabilities will be handled – first by leveraging contextual risk based on code-to-cloud traceability, and second by shifting focus from triaging problems to having true release governance.
We benefit from a world that runs on software, and the security of this software is crucial for all of us. The Legit Security Platform is here to help usher in this more secure future. Here’s to the future of modern AppSec to ensure a safe and secure world.
Join the Legit Security Newsletter to stay up-to-date on the latest tips, tricks, and tech-industry news.
Application Security (AppSec) is the process of identifying, testing, and fixing security flaws in an application. It’s not so much about a singular...
We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data...
We’re pleased to announce the launch of Legitify – an open-source security tool for GitHub users to automatically discover and remediate insecure...