Application Security Trends and Predictions for 2023
Application Security Today
Ever since the SolarWinds breach, application security has been experiencing an unprecedented renaissance with multiple new solutions being released for every phase of the application lifecycle. This is largely fueled by significant investments, aggressive government regulations, and enterprise risk appetite. We have seen all this in 2022, creating a productive environment for application security adoption.
Adoption of New Tools
This year, SCA and SBOM were more widely adopted for software security assurance, and the US government reinforced their importance through Executive Order 14028. Similar regulations are being developed in the EU, UK, and Canada. Reflecting the significant changes to frameworks from OWASP and NIST, organizations have increased their focus on the software security assurance lifecycle. This is largely due to some of the catastrophic breaches that occurred during the last year, such as the SolarWinds breach, among others.
But, despite the progress, there’s a long and winding road for organizations of all sizes to achieve adoption of application security across the entire lifecycle. In addition, security efforts are hindered by a product-first approach and disillusionment with DevOps and DevSecOps by early adopters.
Rising Risks
There has been an increase in attacks against both development environments and applications themselves. Within the last year, two large software development companies, LastPass and Dropbox, disclosed breaches targeting their source code. Cisco Talos noted in Q2 that the number of successful application-focused attacks as an initial vector of compromise had grown to nearly surpass the number of successful phishing attacks.
Economic Shifts
This year, technology companies began to see the results of an impending economic downturn. For many this resulted in layoffs of technical staff, including many software developers. Inevitably, a shrinking development team may further impede the implementation of software development security programs, despite the regulatory environment.
Based on experiences from 2022, it’s likely that 2023 will bring a new wave of sophisticated attacks on applications and a shortage of skilled application security professionals. This will tempt CISOs to seek out tool-based solutions, while still under-valuing a rapidly maturing landscape of threat modelling, software security assurance, and continuous application security testing and monitoring.
Application Security Trends in 2023
Here are a few major trends to watch for in 2023.
1. Code Repository Security Becomes a Priority
Multiple breaches targeting code repositories have been reported in 2022, including high-profile incidents such as LastPass and Dropbox–occurring in a span of fewer than three months. Application code is often a high value target for hackers. Beyond the loss of intellectual property, access to source code can allow an attacker to harvest hardcoded secrets, as well as execute code analysis to detect security defects. Undetected, unauthorized code modifications are also a significant risk, as demonstrated during the Solarwinds breach in 2019.
Protecting and monitoring access to code repositories is becoming a priority for many software development companies, but there are currently no ideal solutions available, either natively or from a 3rd party vendor. Given the distributed nature of software development, both geographically and cross-organization, the current generation of access management solutions offers limited capability to protect code or may negatively affect productivity.
As with any unsolved cybersecurity problem, we can expect to see new approaches and solutions to this problem in 2023.
2. Shift Left Stalls
“Shift Left” became a hot trend in application security over the last couple of years. However, as organizations experimented with the approach, numerous shortcomings became apparent. Due to a lack of expertise in software development and application-focused knowledge within cybersecurity teams, many organizations began to feel that the “shift left” ideology was synonymous with simply dumping more work on software developers and DevOps engineers with little guidance or support.
While vendors develop many application security testing tools targeting developers and DevOps engineers, triaging and prioritizing the results and making remediation decisions requires security expertise.
Unfortunately, that expertise is frequently unavailable within the software development team. At the beginning of 2022 there was only one application security specialist available for every 120 developers and one application security architect available for every 500 developers.
Moving into 2023, we will see more DevSecOps initiatives become mired in debates on security roles and responsibilities.
Additional complications are on the horizon due to a potential economic downturn. This may lead to the downsizing of software development teams, frequently at the expense of security capabilities and DevOps initiatives, further stalling the “shift left” movement.
As a result, we expect to see security tool vendors focusing their message on ease of decision-making rather than ease of integration or operation. This presents a dangerous trend as the tools on the market lack the intelligence required to make fundamental decisions, such as eliminating false positives or risk-based remediation prioritization.
If DevSecOps initiatives are impacted by these slow-downs, organizations should work to shift attention from the bottom-up approach of automation and testing coverage to the top-down approach of visibility and software development risk management.
3. The SBOM Disillusionment
Most 2022 sales pitches for application security solutions included a Software Composition Analysis (SCA) tool to generate a Software Bill of Materials (SBOM). Several regulations have emerged that include SBOM as part of supply chain risk management. Predictably, the number of vendors focusing on SCA tooling has increased substantially, including some that make SBOM management their core business.
There’s no denying that SCA is useful for compliance and managing supply chain risks. The real issue lies with organizations being overpromised on the usefulness of SCA and relying on SBOM management to be a centrepiece of application security strategy.
Gartner, in their recent Application Security Hype Cycle report, views SBOM as a technology that is yet to reach the “Peak of Inflated Expectations.”
Given the lack of a standard approach among vendors for package reporting and manifest creation, intelligent risk decisions may be difficult when based solely on SCA/SBOM.
In 2023, SBOM management may shift to become part of compliance tasks rather than a cybersecurity initiative, reflecting limited value to software security risk management. However, multiple international government regulations may keep SCA/SBOM a significant part of the application security portfolio in the future.
4. The DAST Comeback from The Dead
Two years ago, the many DevSecOps teams declared Dynamic Application Security Testing, or DAST, dead. Teams recognized that DAST can be cumbersome to use and hard to automate. Additionally, DAST requires specialized security knowledge, and therefore has been limited in deployment to those organizations with significant expertise.
Over the past few years multiple start-ups emerged promising a simpler, automated DAST solution that would include intelligent fuzzing engines and machine learning to analyze findings. Unfortunately, such technology has yet to mature, and DAST solutions in 2022 offer very few improvements over platforms available a decade earlier.
Nonetheless, the inclusion of DAST and Interactive Application Security Testing (IAST) in NIST Guidelines on Minimum Standards for Developer Verification of Software drove increased demand for combined SAST/DAST solutions prompting several application security testing vendors to invest in DAST solutions of their own.
Solutions available in the market may continue to provide limited automation and pipeline integration capabilities for the near future. DAST findings require extensive triaging to eliminate false positives, significantly impacting automated risk decisions based on initial scan results. As a result, the DAST toolset still requires specialized cybersecurity knowledge to operate effectively, and the results must be manually investigated to develop an appropriate risk and remediation approach.
Despite the scarcity of operational skill sets and resource-intensive support needs, DAST is still the best solution for organizations that must maintain a NIST-compliant software security validation program or want to pursue continuous testing rather than snapshot-in-time penetration testing.
5. Renewed Focus on API Security
Solving API security problems is a complicated task when the number of APIs and API endpoints may run in the hundreds within modern application environments. Even developing an asset management program for APIs requires a significant effort without specialized solutions. To make matters worse, B2B interoperability, where other vendors may ultimately expose their partners’ APIs through their own unsecured endpoints, is a real and significant risk.
Multiple operational API security solutions have been on the market for some time. While these have a demonstrated capability to reduce the overall number of API-related attacks, these are rarely a deterrent for a sophisticated attacker with enough technical expertise to avoid the detection. New solutions provide a hybrid testing and operations approach to API security as well as better capabilities for the inventory of API assets.
With APIs presenting the greatest unauthenticated attack surface for applications, the number of attacks is only expected to rise. Challenges with monitoring API security, especially around third party endpoints, as well as challenges with software security assurance adoption, will undoubtedly result in major breaches over the course of the next several years. Once organizations realize that security by obscurity no longer works for APIs, we should see a renewed interest in tools and approaches to API security.
Gartner places API Security Testing and API Threat Protection solutions at the “peak of inflated expectations.” Experience over the last year shows that API threat protection solutions are much closer to the “trough of disillusionment” and will start moving towards the “plateau of productivity” in 2023. Additionally, most API-focused testing solutions still lack the maturity and need to undergo further evolution before becoming widely adopted by software development organizations.
6. Software Security Assurance Requirements Will Propagate Down Supply Chain Faster Than Expected
In 2022, the US government has increased focus on Executive Order 14028. This included instructions to federal agencies to create a security assurance verification process for software vendors within the next six months. This also brought a similar focus to the security and regulatory environment surrounding critical infrastructure.
Many software development teams ignore these regulatory developments, citing a lack of direct business with regulated organizations. As a result, in 2023, companies in a variety of sectors, such as financial, defence and energy may start managing software security risks by pushing the requirements down the supply chain.
This development may catch many companies off guard. A significant effort to address NIST software security guidelines will become a focus toward the end of 2023. As there is little chance for de-escalation of geopolitical tensions in 2023, software teams should expect a broadening of regulated industries that will be required to maintain third party software security assurance validation processes. This will, consequently, put pressure on many software development and SaaS provider organizations to achieve a minimum level of compliance.
Planning for the Future of Cybersecurity
In addition to managing software supply chain security, there will also be pressure for cyber-risk management teams to focus on a deeper view of application and software security risks in 2023 and 2024. This will come with further involvement of compliance officers and board reporting requirements.
If you’re looking to get ahead of the curve for 2023 and improve your current application security processes, Parabellyx can help. With a team of experts on your side, we can help you embrace these trends and prepare for the future of cybersecurity.