The state of application security: Many challenges but encouraging trends

When it comes to the future of digital applications, the operative word is “more,” which invokes one of those good-news / bad-news scenarios.

More of them — dozens of millions already with more entering the market every day. With more bells. More whistles. More uses. More capabilities. More features.

All good.

But it also takes more software to run them all. Which means more vulnerabilities.

Not so good.

Software is written and assembled by humans after all, and perfection is not the human condition — a reality well known by both good people and criminals. That’s why, in the cybersecurity industry, applications are described as a vast and growing attack surface. To paraphrase bank robber Willie Sutton, that’s where the vulnerabilities are.

Any doubts about that should be erased by the Forrester Research 2022 “State of Application Security” report, released this month. It states, “Once again, applications were the most common way in for external attackers, with software vulnerabilities at number one and web application exploits at number three. Supply chain has rocketed up to number two.”

The report, which is based in part on surveys ranging from about 500 to more than 1,200 security decision makers plus reports from other analysts, also addresses application programming interface and container security.

The biggest target

But this post will focus on the top three attack vectors, and the reality that most software vulnerabilities are in one kind — open source.

This doesn’t mean open source software is any more or less secure than the proprietary or commercial variety. It’s that its popularity and omnipresence make it a more convenient target. Indeed, open source is in virtually every codebase and makes up an average of 75% of them.

It’s popular for good reasons — it is almost always free and can be modified to fit the needs of a user, as long as licensing obligations are met.

Regarding supply chain security, Forrester also notes what has been reported anecdotally in headlines about some of the most damaging cyberattacks of the recent past — cybercriminals have figured out that it’s much easier, and more profitable, to use the software supply chain to spread malware.

Recent examples include the notorious Log4Shell group of vulnerabilities in the open source Apache logging library Log4j, which were present in hundreds of millions of systems, services, websites, and devices when they became public in December 2021.

Earlier in the year, the cyberattack on SolarWinds/Orion illustrated that a weak link in the software supply chain can break every other link on that chain.

In that case, hackers were able to inject malware into a SolarWinds IT performance monitoring system called Orion. When the company issued an Orion update, the malware spread to tens of thousands of SolarWinds customers when they did what experts are forever telling them to do: Keep your software up-to-date!

In short, supply chain attacks take less effort and increase potential profits for cybercriminals. instead of having to craft and execute individual attacks on hundreds to millions of customers, they can compromise a single vendor and let supply chain connections take care of the rest.

Encouraging trends

However, in The State of Application Security, 2022 report, Forrester cited good, or at least encouraging, trends for the good guys amid the rampant attacks, increased vulnerabilities, and expanded risks. Organizations are fighting back with better use of software security testing tools and improved strategy.

This, the analyst firm said, was in part because of cultural changes and leadership support for building security into faster software development.

The report noted that “58% of global senior security decision-makers plan to increase their application security budgets this year, compared to 31% who expect their budget to stay about the same and only 8% expecting to reduce the budget.”

Organizations are also increasingly doing software security testing smarter — throughout the development life cycle, rather than waiting until the end — a trend that has been noted and encouraged in reports including the annual Building Security In Maturity Model by Synopsys.

According to the Forrester report, while the mantra for a decade or more has been to “shift left” — as in, do your security testing earlier in the software development life cycle (SDLC), it is now becoming “shift everywhere” — as in, do the right tests at the right time no matter where in the SDLC.

And, perhaps in response to the recent high-profile software supply chain attacks, organizations are getting more aggressive about tracking and securing their open source software components with the use of an automated software composition analysis (SCA) tool. Forrester reported that, “In 2021, 28% of respondents planning to adopt SCA in the next year reported their goal to implement it in production, compared to 11% in the previous year.”

Indeed, one of the best things an organization can do is use an automated SCA tool to find its open source components, fix any known vulnerabilities, and make sure there are no licensing conflicts with the use of those components.

SBOM your open source

A good SCA tool can also help create a software Bill of Materials (SBOM), which is on the way to becoming mandatory if an organization wants to sell software products to the federal government. President Biden’s May 2021 executive order on “Improving the Nation’s Cybersecurity,” which is being codified into regulations, calls for a ban on government agencies purchasing any software product that doesn’t have an SBOM.

And on the strategic front, last year, Forrester reported in the 2022 State of Application Security that an increasing percentage (27% to 37% in one year) of development teams now control both the choice of application security testing tools and the budget for them.

According to Forrester, those changes are necessary. “As organizations mature in DevSecOps and break down organizational silos, swamped security leaders must find partners on other teams that will take ownership of tactical security decision-making that is most relevant to their team and enable security pros to focus on what’s next,” the report said.

Michael White, applications engineer, principal, with the Synopsys Software Integrity Group, also said those trends are good and well-established in other areas.

“This all comes down to organizational theory and is a repeated pattern across many domains,” he said. “If we look at how organizations ‘learn,’ typically they stand up a small initial group tasked with embracing the change, ‘translating’ it to their organizational culture and behaviors, but then once this group of change agents has reached a critical mass of mindshare, they must think about how to scale and reinforce that change.”

White said he expects the evolution of securing software and applications to become mainstream, the way things like firewalls and endpoint security have. When firewalls were new, special teams were created to manage them and set the rules around them.

“Now, firewall teams provide governance and direction, but the hands-on activity is mostly baked into the task of network support teams,” he said.

With application security, “we are long past the early adopter phase of this, but to achieve success, it can’t exist as a centralized point of bottleneck and control but must decentralize and federate out.”

“Our most successful customers have been doing this for years,” he said. That means a security team will provide support or guidance if needed, “but mostly let developers and DevOps [development/operations] platform teams do their own thing as much as possible without getting in their way.”

“Risks will always exist,” he said, “but the future security team simply does not have the bandwidth to be running tools for every development. It will never scale. So we need a different mindset and in some cases, a different skillset to successfully delegate this out and turn this into the enterprise shared service.”