Security slowly shifts into the minds of everyone contributing to software applications in data-intensive organizations. It’s no longer an afterthought, instead, security personnel becomes an even more important stakeholder in every IT project/workload. Gradually there is more focus on the application security point of view while previously, the infrastructure-related security aspects prevailed. 2022 already saw a rise in the number and intensity of cyber attacks. There is no doubt that this trend continues in 2023 as well. In this article, we’ll explore some trends and predictions for 2023 as well as put the spotlight on some new initiatives. App-Sec remains a top priority in 2023.
A quick introduction
According to the website of Perforce, App-Sec is:
The process of finding, fixing, and preventing security vulnerabilities at the application level in hardware, software, and development processes. It includes guidance on measures for application design and development and through the whole lifecycle including after the application has launched.
This definition encompasses all major layers and phases for modern applications as well as applications that are created using older techniques.
App-Sec becomes increasingly important since the number of incidents on the application layer rises. If these rising numbers correlate with the deployment frequency and the fact that data becomes more important to the strategic decisions which organizations need to take based on that data, there are reasons to worry about it.
Add the global political unrest on top of that and anyone can understand that this attracts more hackers and other malicious people. Plenty of arguments that drive the increased projects and activities around App-Sec.
Trends spotted by Enso
Earlier this year, Enso conducted market research among 40 enterprise security leaders that represented different industry verticals from healthcare to finance to media/entertainment. Their roles varied from CISO, Security Engineers to Heads of Security. The number of developers in each company as well as the maturity of the AppSec program gave an indication of their size and challenges.
Some interesting facts which are the results of the survey:
- Over 50% of the companies have just started their App-Sec program and less than 10% do not have an App-Sec program at all. So there is room for improvement on both sides.
- More than 90% of the companies responded that their App-Sec has a medium to high priority amongst the other programs that compete for time and (financial) resources.
- Penetration Testing is the absolute winner of tools/services which companies use to detect (critical) security flaws and other security issues. This is followed by SAST, WAF, DAST, SCA, CI/CD security, and security training efforts. About 60% of the companies use those tools/services. Interesting to note is that less than 5% of the respondents use Thread Modeling while shifting security left remains an important actor. That conflicts.
- The biggest pain points are the activities around prioritization and the coverage of tools. This is also an interesting observation since security experts and business representatives can only prioritize items correctly once they have good coverage of their use cases/issues provided by the tools. Great to read that executive buy-in and compliance-related issues need less attention.
More than 2/3 of the respondents answered that App-Sec remains in the top 3 of their priorities for next year and about 90% intend to improve their App-Sec efforts. Budgets to make this happen slightly increase for these companies.
Security is needed in every major stage of the Software Development Life Cycle. According to another survey, over 70% of developers skip one or more security steps. The following steps are relevant to cover security aspects in every stage. These include the following:
- Requirements are already split between functional and non-functional requirements. In addition to that, it’s important to specifically focus on security-related requirements. Assess risks and overthink your remediation strategy, all based on your data classification schemes. This makes it practical.
- Embed Thread Modeling in your design stage. This includes selecting the right architecture and frameworks. Insecure designs and risks which follow based on insecure architecture and frameworks are more difficult to fix. This is also an approach that fits the “shift left” principle.
- During the development stage, you need to check your application and infra-based resources for vulnerabilities and security issues. Be sure to scan your (third) party dependencies in this phase. As soon as all developers apply this step and react to it.
- Dynamic Application Security Testing aims to ensure that there are no vulnerabilities that have slipped through the cracks of the previous testing stages. DAST is conducted at the testing stage right before the deployment of your workload.
- Once an application has been deployed, you need to monitor the runtime environments as well as conduct (semi)manual security tests such as penetration tests that evaluate your environments from time to time.
All of these steps do not change in 2023, but there the focus of attention shifts a bit since companies advance over time in their security efforts.
Digital Defense expects more Hacktivists and Geo-Political Impacts. According to their view, the following thread areas are expected to grow and have a more severe impact on organizations.
The attack surface is likely to increase as it expands from public/private cloud systems as well as on-prem-based resources. This attack surface also ranges from high-level applications to lower-level devices which operate on the hardware level such as modems and BIOSes. And don’t forget the growing number of IoT devices which also process more and more (sensitive) information.
They expect that the number of people who are being faced with ransomware increases and that hacker will utilize more options than just malicious emails to gain access to systems. Even with the use of Multi-Factor Authentication people remain vulnerable. With MFA on the rise, there will be more exploits that try to compromise MFA integrity. These kinds of systems try to intercept login codes or sim swapping to trick people while they think they are doing a good job by applying MFA on all kinds of systems.
Besides this, they expect more sophisticated methods to carry out phishing attacks, think as tricking search engines. Larger organizations have dedicated experts working on those subjects, but now also smaller companies are being affected. Since they might be less experienced in this area of interest, they also face big risks.
A lot of companies are still focused on “what’s in my container”. As soon as they have scanned their image and once the runtime rules have been passed, they forget about it. But this is not enough since images are constantly changed and this also poses more risks when a new image is being pulled.
Improved attack responses
Following the expectations of Digital Defense, we’re likely to see trends around the following subtopics that all fall under improved attack responses.
- Data-Centric approach: an increased focus on protecting the structure and unstructured data. This also means active management and monitoring of this critical data. This should also be visible to the end-users who actually utilize this data.
- Vendors are expected to solve multiple use cases and not only focus on a single focus. On top of that, they should do their job really well for those use cases. Expect more evaluations of vendors and a focus on highly qualitative solutions.
- It’s likely that budgets on App-Sec increases. It backs the results of the previous study from Enso. Not only to train security experts and keep them up to date as well as regular employees. But also increased budgets to implement practical solutions that actually make a difference.
- Zero trust aspirations of companies are more likely to gain more popularity, whereas better security controls aim to strengthen this statement. This also means that companies will be more offensive when it comes to security efforts. Think of anticipating breaches to find weak security spots: fix them before any serious harm is done.
It’s great to note that there are a lot of pushed efforts that put App-Sec more and more in the spotlight.
App-Sec initiatives among organizations all around the globe are on the rise. In this article, we saw new trends and possible extra attention to a lot of subtopics regarding this area. Following the different surveys which have been conducted, we can conclude that budgets are increased, PEN testing remains a popular method to detect secrets but there is also an increased focus on actually preventing security issues by actively pursuing more secure systems. It remains important to check every stage of your Software Development Life Cycle to hunt for security issues. Curious to see what the new year brings to us.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.