For many companies, 2020 was about accelerating their move to the cloud. The pandemic drove a dramatic expansion of remote work, developers focused more on cloud-native deployments, and application security teams had to adapt to a change in usage and, often, greater demand.
In 2021, many of those seeds will take root. Businesses that accelerated digital transformations will need to secure their infrastructure, developers working remotely on cloud-native applications will have more integrated security in their coding environments, and application security teams will be tasked with facilitating faster development cycles, rather than just finding vulnerabilities.
Overall, expect more security, automation, and coding throughout the development and deployment process, said Mike Ware, senior director of technology for Synopsys, a software-security company. Rather than just shifting security leftward to the developer, security will become a part of every piece of infrastructure, he said.
"The notion of 'shift left' will rapidly become a philosophy of 'shift everywhere.' It is not that we are going to stop moving left; we have to move security left. But we need to shift a lot of responsibilities right as well."
—Mike Ware
While DevOps has broken down some barriers between developers and application security teams, the future will be about more tightly integrating security into development and making sure that security focuses on how to produce secure applications. Teams that only focus on finding bugs will continue to slow development, and that will undermine application security in the future, said Sandy Carielli, principal analyst with analyst firm Forrester Research.
Companies will have to broaden the bailiwick of the application security team—it's no longer just about applications, but about APIs, containers, and low-code/no-code services, she said.
Here are five trends your app sec team should expect in the next year.
1. Digital transformation trickles down to application security
Digital transformation took over the conversation in 2020. While many companies had focused on moving to the cloud, adding automation, and using software-defined infrastructure to drive their business and operations at the start of the year, the coronavirus pandemic forced most of them to accelerate their plans.
About seven out of every eight executives intended to make their company's operations and infrastructure cloud-native, with about the same share also committing to greater use of containers for application development and deployment, according to a survey conducted by financial giant CapitalOne.
These mandates and realities have trickled down to developers and security teams, especially as remote work has expanded. Existing silos between the groups can slow development and the resolution of security issues, so the pressures have increased to knock those walls down, said Dan Cornell, a principal at the Denim Group, a software-security consultancy, who noted that about 30% of employees at his firm have never set foot inside the office.
"We are seeing the collaboration capabilities of the tooling becoming more important. Because you can't walk down the hall and peek over the cubicle wall and ask how something works, teams need better ways to communicate."
—Dan Cornell
2. Security tools focus more on guiding development
In 2021, security programs will focus more on integrating tools that help developers avoid the mistakes that lead to vulnerabilities, rather than just detecting the software flaws leading to those vulnerabilities, said Martin Knobloch, global application security strategist for Micro Focus.
In the past, the tools typically used at the end of the development cycle—static application security testing (SAST) and dynamic application security testing (DAST) scanners, for example—have not been about making the application better, but about finding all the security mistakes, he said. Rather than finding ways to make applications more secure, most of the tools have focused on detailing what's wrong.
Yet, as security becomes more focused on working with developers, such programs become blockers, said Knobloch, who calls them "bad-o-meters."
"Who has to write the code? The developers. Who has to fix the code? The developers. What we are moving toward is tools for code quality used by developers, and not security tools."
—Martin Knobloch
Similarly, he said, penetration tests and pen-testing tools will increasingly inform the threat model that can be used to guide developers, rather than just focus on finding ways to break the applications and circumvent security.
Denim Group's Cornell agrees.
"It is hard enough even when you know the resolution path to get developers to fix stuff. When you don't know the resolution path, then you are just increasing the amount of badness that you see in the system, you are not actually fixing the application."
—Dan Cornell
3. Software-defined security is part of code and configurations
With the expansion of DevOps and infrastructure as code—from containers to serverless computing—over the past five years, security has increasingly become part of the code as well. A great deal of software is based on building blocks, most commonly open-source components, that may not be instantiated until runtime, so security checks have to be built in, said Synopsys' Ware.
An application's security configurations for development, test, and production environments are often the purview of the developer, but more application security teams are also producing code to be included in the application at each stage as well.
"We are certainly seeing more and more software security initiatives focused on DevOps cultures. Software security teams in those groups are having to write more code, because more security is code—more of that software delivering is software-defined in nature."
—Mike Ware
4. Automated penetration tools improve, but skilled testers are still in demand
The tools used by attackers, red teams, and penetration testers continue to integrate more automation and do a lot of the work for application security audits and penetration tests.
But with the shortage of cybersecurity professionals, automation is over-relied on, and this makes for shallow assessments, said Micro Focus's Knobloch. Moreover, because penetration tests are expensive, most assessments are under significant time pressures: A test typically takes five to 10 days, and with a day of setup and a day of reporting, often the actual assessment is relegated to as few as three days, he said.
In the end, penetration testers are often well-trained tool operators rather than security-intrusion specialists, Knobloch said.
"You just can't turn security teams into good tool monkeys. Companies need to look for—and develop—really knowledgeable pen testers."
—Martin Knobloch
5. Open-source component security and ratings will evolve
The use of open-source libraries and components in development is almost ubiquitous, with some 99% of applications having at least one open-source component, according to Synopsys's 2020 Open Source Security and Risk Analysis Report. About one third of vulnerabilities disclosed in 2019 were in open-source products, according to White Source's 2020 State of Open Source Security report.
Determining which open-source components are secure should be a primary concern for any application security group.
The onus is on development teams
You have to provide the "plumbing" that can determine whether something that you are going to bring in will pose a risk to the enterprise, said Ware.
"The developers need to be able to select the right tools that they need to create an application, but the security team needs to have the plumbing in place to educate them and warn them about security issues."
—Mike Ware
In the end, companies need to make software not only more secure, but more resilient as well, and that means security groups have to work with developers to create the environment to produce better software, said Micro Focus' Knobloch.
"Most security people have to change. They cannot be a gate that code has to go through to pass, or a security tollbooth: Stop here until you get the results back."
—Martin Knobloch
Forrester's Carielli said big challenges are in store for security teams.
"At the same time that security pros are giving up some of their duties—finding and fixing vulnerabilities—to developers, they have to expand into these other fields. There is an expanding definition of code and what are application tools, and so security pros have to look at APIs, at no-code, and at infrastructure as code."
—Sandy Carielli
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.