Application security trends and forecasts for 2023
Application security today
Since the SolarWinds security breach, application security has experienced an unprecedented renaissance with numerous new solutions for every phase of the application lifecycle. This is largely due to significant investment, aggressive regulatory mandates, and enterprise risk-taking. We have seen all of this in 2022, creating a productive environment for application security adoption.
Introduction of new tools
This year, SCA and SBOM were used more widely to ensure software security, and the U.S. government underscored their importance through Executive Order 14028. Similar regulations are being developed in the EU, UK, and Canada. Given the significant changes to the frameworks of OWASP and NIST, organizations have increased their focus on the software security lifecycle. This is largely due to some of the catastrophic security breaches that occurred last year, such as the SolarWinds security breach and others.
However, despite the progress, there is still a long and rocky road ahead for enterprises of all sizes to enforce application security across the lifecycle. In addition, security efforts are hampered by a product-centric approach and disenchantment with DevOps and DevSecOps among early adopters.
The number of attacks on development environments and applications themselves has increased. Within the last year, two major software development companies, LastPass and Dropbox, disclosed security breaches that targeted their source code. Cisco Talos noted in the second quarter that the number of successful application-focused attacks as an initial compromise vector nearly surpassed the number of successful phishing attacks.
This year, technology companies felt the impact of the impending economic downturn. For many, this led to layoffs of technical staff, including many software developers. Inevitably, a shrinking development team continues to hinder the implementation of software development security programs despite the regulatory environment.
Based on the experience of 2022, it is likely that 2023 will see a new wave of sophisticated attacks on applications and a shortage of skilled application security professionals. This will tempt CISOs to look for tool-based solutions while undervaluing the rapidly maturing landscape of threat modeling, software security assurance, and continuous application security testing and monitoring.
Here are some of the key trends for 2023.
Code repository security becomes a priority
Several security breaches targeting code repositories were reported in 2022, including such high-profile cases as LastPass and Dropbox, which occurred in less than three months. Application code is often a valuable target for hackers. In addition to losing intellectual property, an attacker can spy on hard-coded secrets by accessing source code and perform code analysis to discover security vulnerabilities. Undiscovered, unauthorized code changes also pose a significant risk, as demonstrated by the Solarwinds security breach in 2019.
Protecting and monitoring access to code repositories is becoming a priority for many software development organizations, but currently there are no ideal solutions, either native or from a third-party vendor. Given the distributed nature of software development, both geographically and across organizations, the current generation of access management solutions offer limited ability to protect code or may negatively impact productivity.
As with any unsolved cybersecurity problem, we can expect to see new approaches and solutions to this problem in 2023.
Shift Left falters
“Shift Left” has become a hot trend in application security in recent years. However, as organizations experimented with this approach, numerous shortcomings became apparent. With cybersecurity teams lacking software development expertise and application-oriented knowledge, many organizations felt that the “Shift Left” ideology simply offloaded more work onto software developers and DevOps engineers without guidance or support.
Vendors are developing many application security testing tools aimed at developers and DevOps engineers, but evaluating and prioritizing the results and deciding on remediation actions requires security expertise.
Unfortunately, this expertise is often not available within the software development team. As of early 2022, there was only one application security specialist for every 120 developers and only one application security architect for every 500 developers.
In 2023, more DevSecOps initiatives will be embroiled in debates about security roles and responsibilities.
Additional complications are expected due to a potential economic downturn. This could lead to software development teams downsizing, often at the expense of security roles and DevOps initiatives, further stalling the “Shift Left” movement.
As a result, we expect security tool vendors to focus their message on ease of decision making rather than ease of integration or operation. This represents a dangerous trend, as the tools on the market lack the intelligence to make basic decisions, such as eliminating false positives or prioritizing remediation actions based on risk.
If DevSecOps initiatives are affected by this slowdown, organizations should work to shift attention from the bottom-up approach of automation and test coverage to the top-down approach of visibility and software development risk management.
The SBOM disillusionment
Most 2022 application security solution sales pitches included a software composition analysis (SCA) tool to create a software bill of materials (SBOM). Several regulations have surfaced that require SBOM as part of supply chain risk management. The number of vendors focusing on SCA tools has increased significantly, including some that make SBOM management their core business.
There is no disputing that SCA is useful for compliance and supply chain risk management. The real problem is that companies are making too many promises about the benefits of SCA and relying on SBOM management to be a core part of their application security strategy.
Gartner, in its recent Application Security Hype Cycle report, considers SBOM a technology that has not yet reached the “pinnacle of inflated expectations”
Because there is no standard approach among vendors for package reporting and manifest creation, intelligent risk decisions can be difficult when based solely on SCA/SBOM.
In 2023, SBOM management may become part of compliance tasks rather than a cybersecurity initiative, reflecting limited value for software security risk management. However, due to numerous international government regulations, SCA/SBOM could remain an important component of the application security portfolio in the future.
The comeback of DAST from the dead
Two years ago, many DevSecOps teams declared Dynamic Application Security Testing, or DAST, dead. Teams recognized that DAST was cumbersome to use and difficult to automate. In addition, DAST requires specialized security skills, so it was only used in organizations with deep expertise.
In recent years, several startups have emerged that promise a simpler, automated DAST solution that incorporates intelligent fuzzing engines and machine learning to analyze results. Unfortunately, this technology is not yet mature, and DAST solutions in 2022 offer few improvements over the platforms that were available a decade earlier.
Nonetheless, the inclusion of DAST and Interactive Application Security Testing (IAST) in the NIST Guidelines on Minimum Standards for Developer Verification of Software led to increased demand for combined SAST/DAST solutions and prompted several application security testing vendors to invest in their own DAST solutions.
The solutions available on the market will continue to offer limited automation and pipeline integration capabilities in the near future. DAST results require extensive evaluation to eliminate false positives, which significantly impacts automated risk decisions based on initial scan results. As a result, the DAST toolset still requires specialized cybersecurity skills to be effective, and the results must be manually examined to develop an appropriate risk and remediation approach.
Despite the lack of operational skills and resource-intensive support requirements, DAST remains the best solution for organizations that need to maintain a NIST -compliant software security validation program or that want to perform continuous testing instead of time-limited penetration testing.
Renewed focus on API security
Solving API security issues is a complicated task when the number of APIs and API endpoints in modern application environments can number in the hundreds. Even developing an asset management program for APIs requires significant effort without dedicated solutions. To make matters worse, B2B interoperability, where other vendors can expose their partners’ APIs through their own unsecured endpoints, is a real and significant risk.
Several operational API security solutions have been on the market for some time. While these have been proven to reduce the overall number of API-related attacks, they are rarely a deterrent to a sophisticated attacker with enough technical expertise to evade detection. New solutions offer a hybrid testing and operational approach to API security, as well as better API resource inventory capabilities.
Because APIs represent the largest unauthenticated attack surface for applications, the number of attacks is expected to continue to grow. API security monitoring issues, particularly with third-party endpoints, and software security solution adoption issues will undoubtedly lead to major security breaches in the coming years. Once organizations realize that security through unobtrusiveness no longer works for APIs, we should see a renewed interest in API security tools and approaches.
Gartner Sees API Security Testing and API Threat Protection Solutions at “Peak of Overblown Expectations” The experience of the past year shows that API threat protection solutions are much closer to the “trough of disillusionment” and will begin to approach the “plateau of productivity” in 2023. Furthermore, most API-focused testing solutions are not yet mature and need further development before they are widely adopted by software development organizations.
Software security requirements will spread through the supply chain faster than expected
In 2022, the U.S. government increased its focus on Executive Order 14028. This directed federal agencies to establish a process for reviewing the security of software vendors within the next six months. This also placed a similar focus on the security and regulatory environment for critical infrastructure.
Many software development teams ignore these regulatory developments on the grounds that they do not work directly with regulated organizations. As a result, in 2023, organizations in a number of sectors, such as finance, defense, and energy, will begin to manage software security risks by moving requirements down the supply chain.
This development could catch many companies off guard. Toward the end of 2023, significant efforts will be made to comply with software security policies NIST. With geopolitical tensions unlikely to de-escalate in 2023, software teams should expect an expansion of regulated industries that will be required to maintain third-party software security validation processes. This will consequently put pressure on many software development and SaaS providers