Application security is finally beginning to take wind. After years of being pushed to the background in favor of other areas of IT security, recently we’ve seen a major shift in the security landscape where application security is finally getting attention.With 84% of attacks aimed at the application layer – it’s about time, too.
Application security is a big field, though, and it can be overwhelming to begin an application security program without having an idea of where to start. And that’s where knowing what trends are on the horizon and aligning them to your own organizational needs can be especially helpful.
So, what application security trends will we see more of in 2016? We offer our thoughts below! What other trends do you expect to see in the upcoming year – comment below!
5 Application Security Trends We’ll See This Year
We’ve written extensively about how agile development methodologies are taking over the business world, and by 2020 at least 88% of organizations will have either adopted DevOps or will have adopted DevOps practices. The security teams at these organizations need to accept the challenge and figure out ways to reduce the burden of security on developers and testers, while at the same time bolstering your application security program.
The upcoming year will only see more and more organizations shifting towards DevOps, and the security teams should be one of the first groups on board. Automating security processes within the Continuous Integration and Continuous Delivery cycles is the only proven way to stay up to the speed of a DevOps environment.
Automation has been the saving grace of scaling application security programs, and it’s no different in the SecDevOps world. Tools that enable developers easy access to security testing and offer guidance on how – and more importantly why – a piece of code needs remediation will go a long way in helping shift security testing to the left in your organization’s SDLC. In addition, automation tools have the capacity to ensure your security controls and compliance with standards are up to par – allowing your organization to accelerate the pace of development and increase transparency without sacrificing stability or security.
In DevOps, security can’t be separated from the rest of the cycle. It needs to be understood throughout the organization that security is yet another aspect of quality – and developers are all about creating high-quality software, so this culture change is essential for many businesses. Automating as much of your security process as possible will allow developers to easily gain responsibility over security during the development process.
Resources on Understanding Security Automation & SecDevOps:
- The 3 Key Benefits of Automating Your Source Code Review
- Security and DevOps: How to Get Started
- All You Wanted to Know About Continuous Integration Security
- [Webinar] 10 Steps to Agile Development without Compromising Security
Internet of Things (IoT) INSecurity
The Internet of Things, or IoT for short, has opened up a world of endless possibilities for things we can now control with software. From controlling your home thermostat from afar, to your watch being able to hear and respond to your commands, to paper toys that dance and play sounds as you receive email or get a like on your latest Facebook post, the IoT has officially arrived – and will only continue to expand rapidly throughout the next year. By 2017, the IoT market will officially surpass the smartphone, tablet AND PC market combined, with up to 82% of organizations implementing IoT applications into the ecosystem by next year.
With a world of endless possibilities for organizations and consumers alike comes a world of endless opportunities for hackers to invade homes, hospitals and businesses through the myriad of ways the applications powering IoT devices open themselves up to outsiders through security vulnerabilities. And while the benefits of driving down costs and managing data better via IoT applications and devices can be a huge burden lifted off an organization, it also opens up the organizations developing and releasing IoT applications to risks they may never have even considered before.
Organizations need to understand that any device that has been connected to the internet is ripe for attack. Because for every happy IoT user is an attacker (or more likely several) trying to figure out ways to use the IoT for their own gain, be it financial, political, or otherwise. And while the IoT doesn’t change the basic tenants of a strong application security program, it certainly ups the ante. With a projected 6.4 billion connected things in use this year – a 30% jump from just last year – the sheer game of numbers should be enough to get organizations on board with application security initiatives. As the attack surface increases in our homes and businesses, the risk of attack also increases dramatically.
2016 could very well be the year of the IoT hacks – but not if the security industry takes a sharp turn in a different direction. The concept of Secure by Design, where security functions and processes are built into the applications’ architecture, is vital here, as is shifting all security testing to the left, as well.
Resources for securing applications for the Internet of Things:
- OWASP Top 10 for IoT, Explained
- The OWASP Top 10 for IoT Project
- Securing Your Home IoT Devices
- Securing Your Medical IoT Devices
Mobile Application Hacking
As both the number of mobile devices we use and own on a daily basis along with the applications we download grows rapidly year by year, the number of mobile app attacks have risen dramatically. Vulnerabilities like the one that opened 950 million Android phones and devices up to attack with a simple multimedia message have become all too common, and with the proliferation of users downloading a mix of work and personal applications on their personal and work devices, mobile app attacks affect much more than one person.
To stop this trend from becoming a reality in 2016, it’s up to both users and mobile app developers: Users to become smarter downloaders, understanding the permissions each app requires and using safety protocols like two- factor authentication wherever possible, and on the developers (and the organizations employing them) to ensure that their code is up to snuff, doesn’t store PII or banking info, and doesn’t ask for more permissions than it needs.
Further resources for securing our mobile applications:
- The State of Mobile Application Security 2015
- OWASP Mobile Security Project
- OWASP Mobile Top 10
- Mobile Application Security: 15 Best Practices for App Developers
Developer Interest in Security
Whereas just a few years ago developers were taught just the basics of computer security in universities and no security knowledge was needed to be a good developer, the past few years have seen a welcome change in the way developers approach security. Developers are finally beginning to understand the benefits of having a security background, and it’s paying off in our organizations.
There’s still a long way to go, but we’ve seen the first signs of better collaboration between the security team and developers, and security tools have become more developer-friendly, with IDE integrations and being able to teach developers why a certain part of their code is insecure and how to best fix it.
In 2016, let’s help foster developers’ curiosity for improving their secure coding knowledge. Let’s bring interested developers along to local OWASP meetings, host secure coding workshops and encourage their efforts in CTFs and playing the offense in hacking games that will both teach them something and actually keep developers engaged. In 2016, we’ll continue to push the responsibilities further to the left in our SDLCs, and if we supplement the shift is enough training and awareness, along with aiming our developers with the correct tools, the organization as a whole will begin to reap the benefits.
Further resources for getting developers engaged in security:
- Ensuring Your Developers Love – or at Least Don’t Hate – Security
- 9 Secure Coding Practices You Can’t Ignore
- 5 Steps That Will Raise Your Developers Security Awareness
Open Source Security
While we didn’t see as many open source vulnerabilities in 2015 as we did in 2014 – the year that POODLE, Heartbleed AND the Drupal vulnerabilities were discovered – 2016 will see the continued efforts to prevent other such vulnerabilities from being discovered by a nefarious user.
With 85% of software and applications using open source libraries and known security vulnerabilities posing one of the biggest organizational risks, the time has come for organizations to give back, and help secure the open source landscape together. By taking proactive efforts to ensuring that the open source libraries we so widely use are in fact secure and are implemented securely into our ecosystems, we can help prevent the same sort of open-source panics we had in 2014. And we can pay it forward by supporting open-source projects and sharing the responsibility to help fix the vulnerabilities that we discover in the open-source libraries to prevent attack on other organizations using the same code.
Further Resources to Help You Secure Your Open-Source Code:
- Security Concerns for Using Open Source Software for Enterprise Requirements
- The State of Open Source Security
- Six Open Source Security Myths – Debunked
- Application Security Trends
- Developer Security Awareness
- open source
- Secure Developer
- Security and DevOps
Latest posts by Sarah Vonnegut (see all)
- How Secure is Your Online Banking App? - February 26, 2018
- Top 5 OWASP Resources No Developer Should Be Without - January 9, 2018
- Smart Cities: Can My City be Hacked? - December 11, 2017