Authored by: Jim Azar, Sr. Vice President, CTO at Orasi Software
As the Internet of Things (IoT), low-latency applications, open-source software, and low-code applications become more mainstream – the application security challenges grow larger. We share how to get in front of these challenges and what to watch out for in 2021.
1. Software vulnerabilities: According to Forrester’s Annual State of Application Security Report, web applications are the most common form of external attack with software vulnerabilities at a close second. This could explain why 21 percent of security decision-makers surveyed are prioritizing building security into development processes. According to the report, the type of software and tools in hot demand include open-source software, and the growth of containers. As enterprises rely more and more on open source and third-party components, they open up more APIs externally. There is also an increased likelihood of supply chain attacks.
2. Automation: Forrester’s report also talks about integrating automated testing tools in the DevOps pipeline. There is a need for new tooling, and firms must keep up with the evolving protections to safeguard emerging application architectures. In addition, people are leaning towards hot approaches for security like DAST (dynamic application security testing), cloud security, security as a platform, and WAF (Web Application Firewall).
3. APIs: As per the 2021 State of Application Security in Financial Services Report from Contrast Security, methodologies like Agile and DevOps — and the growing use of open-source code and application programming interfaces (APIs) — have been crucial for digital transformation initiatives in the financial services industry. But this space is a ripe target for cybercriminals, and the COVID-19 pandemic has given even more acceleration. 98 percent of respondents talked of experiencing at least three successful application exploits in the past year, which have led to operational disruption and/or data breaches. Also, 99 percent of respondents in organizations with over 15,000 employees estimated the cost of each attack at $1 M or above.
4. Time spent: 81 percent of respondents shared that their application security teams spend three or more hours per false positive, and 72 percent of application security teams spend six or more hours on triaging, diagnosing, and prioritizing remediation. In terms of developer-time, 10 or more hours per vulnerability are spent to perform remediation and verification – as per 69 percent of respondents.
5. Trust and data: According to OWASP (Open Web Application Security Project), hot security threats will converge around injection flaws like SQL, NoSQL, OS, LDAP injection, and broken authentication. Incorrect implementation of application functions related to authentication and session management are serious issues. They make it easier for attackers to compromise passwords, keys, or session tokens or exploit other implementation flaws. OWASP also talks of broken access control and sensitive data exposure. Improper enforcement of restrictions on what authenticated users may do can be another area that makes it easy for attackers to exploit these flaws. They can, hence, gain access to unauthorized functionality and/or data.
6. Insufficient logging and monitoring: This can be extra disastrous when mixed with missing or ineffective integration with incident response. It helps hackers with tampering, extraction, or destruction of data.
Some of these loopholes may have existed earlier too, but with the traction that modern tools and practices are gaining, their gravity and ease have multiplied. According to Contrast Security’s State of Application Security in Financial Services Report, almost 75 percent of respondents hinted that their application security budget is increasing in 2021, and 24 percent pointed to a jump of over 15 percent. But when only 40 percent of organizations place direct responsibility for application security under the CISO, there is a clear gap on strategic priority to this area.
Do not be reckless or casual about application security. It can have even higher consequences and meaning in 2021. Brace up and be ready.