Five Application Security Predictions For 2023

Uploaded on 2023-01-25 in NEWS-Cybersecurity News, FREE TO VIEW

Security experts have cited the shift to cloud native applications as a driver of significant opportunities and challenges in the area of cybersecurity. In a recent ISG Provider Lens™ Cloud Native Services and Solutions report for the U.S. it stated, “The U.S. ecosystem around containers, Kubernetes and related services is entering a more mature phase as developers and the IT community reach a deeper understanding of the benefits and challenges that come with cloud-native technologies.

In addition, traditional security systems based on protecting a perimeter around the enterprise also fall short with cloud-native architectures. Multi-developer, multi-platform environments made up of widely distributed software components require specialized security solutions.”

This is a change that has been in motion for several years and momentum is finally starting to take hold. To that end, below are five predictions in this area that are expected to materialize in 2023. The predictions are based on feedback from enterprise security and DevSecOps professionals over the last 12 months and include the following:

1.    Application security and cloud security will converge:

Over the next 12 months, more applications will be built using a cloud native approach than the traditional, monolithic architecture. Distributed applications that use containers will be impacted by an increasing number of vulnerabilities that span microservices and traverse the infrastructure layer.

The distinction between application security and cloud security has clearly blurred as application security is now affected by the underlying cloud infrastructure, while cloud security professionals now have to take the application layer into account in their attack path analysis.

  • For application security professionals, this means they must now learn to perform an accurate analysis of cloud native applications, which combine analysis of code, container, cluster, cloud and their connections and communications.
  • For cloud security professionals, this means finding a way to add application layer analysis into their existing security posture.

2.    ‘Shift left’ will become ‘Shift everywhere’ 

For the last decade, people have been talking about shifting left. The truth is, the more static your analysis is, the greater number of false positives you will receive, along with alert fatigue. Running a SAST tool doesn’t actually tell you what your application risk is, only that you have a bunch of vulnerabilities, some real, some not.

There’s a real need to tie runtime analysis to signals that you’re getting from your static scanners, so that contextual knowledge is provided of what’s happening within applications. Intelligent analysis that combines user derived signals from static analysis with signals that you get from runtime analysis (shifting to the right) will provide greater truth about the vulnerabilities in your applications, and a true understanding of how they contribute to overall risk.

3.    Greater C-Suite demand for visibility into risk contributions of apps and the teams that build them 

The days when the greatest challenge for the appsec team was ‘What vulnerabilities are in our applications, and how do we remediate them?’ will go away. This will be replaced by the need to establish and report metrics on the risk contribution of each application, and the chain of accountability to the teams that are responsible for their production and security.

Leaders will want to know this so they can allocate resources accordingly to lower their overall risk exposure.

This will force appsec teams to find tools that provide detailed, high fidelity risk profiles for each application within their care that include the ‘risk score’ of their applications (calculated from the total, type, and severity levels of the vulnerabilities that are left without remediation), the type of data that these applications collect, transfer and store, and the number of records that are collected, among others.

4.    There will be a demand for clearer prioritization data, making the Vulnerability Exploitability Exchange (VEX) more popular

Vulnerability management typically means sorting through a mountain of noise to figure out what really needs to be remediated, and what doesn’t, then prioritizing remediation efforts. Appsec professionals will increase their demands on tool vendors to provide clear data on the relative levels of risk that each vulnerability presents, so that they’re not left guessing what to remediate and left to assign precious resources to manual prioritization efforts.

This shift will call for a clear, consistent data format for communicating the prioritization information that is machine readable to enable automations and integrations. The Vulnerability Exploitability Exchange (VEX) will become more popular as a result.

5.    Software supply chain security will finally have a clear definition

But it’s not a simple one. Ask 10 different people what software supply chain security is and you’re likely to get 10 different answers, with some of them being lengthy and confusing. As software supply chain security continues to receive more scrutiny, a more precise and consistent definition will emerge. It will not likely be a simple, one-sentence definition, but clearly defined categories where each have their own definitions and requirements. 

Cloud-native applications present a major challenge for traditional application security solutions for several reasons.

First, visibility is more limited because current tools simply don’t have the ability to comprehensively see what’s happening in distributed applications. These tools were designed to scan large, monolithic blocks of code, and their approach is to treat the code like a big box. Using the same approach on modern software results in even more false positives and redundant vulnerabilities, and the potential for false negatives. Improperly configured cloud infrastructure can also significantly impact the severity of vulnerabilities in the applications, and is one of the most pressing cloud-native security concerns.

While modern applications can be game-changers when it comes to business agility, securing them introduces new challenges and requirements that beg the question - why do we continue to use traditional application security solutions to secure modern software?

Cloud-native applications represent a new paradigm, and a corresponding shift in how we approach application security is necessary to accompany this shift.

Dean Agron is  CEO and co-founder of Oxeye 

You Might Also Read: 

How IAST Improves Application Security & Six Steps to Effective Deployment:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« Ukraine Signs Cyber Security Deal With NATO
Who Foots the Bill For A Data Breach?  »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

USNA Center for Cyber Security Studies

USNA Center for Cyber Security Studies

The mission of the Center for Cyber Security Studies is to enhance the education of midshipmen in all areas of cyber warfare.

National Trading Standards eCrime Team (NTSeCT) - United Kingdom

National Trading Standards eCrime Team (NTSeCT) - United Kingdom

The National Trading Standards eCrime Team tackles online consumer scams, rip-offs and fraud, as well as those committed by text or email.

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

Guardea Cyberdefense

Guardea Cyberdefense

Guardea Cyberdefense is an IT services company specializing in the management of security projects, with a pool of skills selected from a network of specialized partners.

NESEC

NESEC

NESEC is a specialist in information security consulting services and solutions.

NetExtend

NetExtend

NetExtend services include backup and recovery, endpoint protection, network monitoring, cloud portal and billing and payment solutions.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

Sponge

Sponge

Sponge is a world-renowned digital learning provider on a mission to make learning unforgettable.

SBD Automotive

SBD Automotive

SBD Automotive are specialists in automotive technology providing independent research and consultancy to help create smarter, more secure, better connected, and increasingly autonomous cars.

Concordium

Concordium

Concordium aims to build the world’s leading open-source, permissionless, and decentralized blockchain with built-in user identity at the protocol level.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

Commonwealth Cyber Initiative (CCI)

Commonwealth Cyber Initiative (CCI)

The Commonwealth Cyber Initiative is establishing Virginia as a global center of excellence at the intersection of security, autonomous systems, and data.

Belcan

Belcan

Belcan is a global supplier of engineering, manufacturing & supply chain, workforce and government IT solutions to customers in the aerospace, defense, automotive, industrial, and private sector.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.

Two99

Two99

Two99 provide tailored excellence in the areas of E-Commerce, Marketing, Consulting, and Cyber Security.