Forrester recently analyzed the current application security landscape, along with the program plans of global organizations for the next 12 months. Their independent research report, The State Of Application Security, 2020, delivers valuable insights for security and development teams on the critical need to integrate application security testing early in the software development cycle (SDLC) to mitigate risk.
At ZeroNorth, we believe this report can serve as a valuable resource for organizations looking to improve their own application security programs—or even build one out for the first time. In an effort to help businesses better access Forrester’s key recommendations and takeaways, we will focus on several points from the 2020 report and break them down into bitesize action items over the next few weeks.
We hope you will stick with us and learn more about how Forrester’s deep dive into the state of application security, right now, can help you undergo the type of meaningful digital transformation every business needs in the modern world.
Application vulnerabilities put your organization at risk
One of our key takeaways from the Forrester report is the critical need for heightened application security. Attackers typically choose the path of least resistance, which means exploiting software vulnerabilities or application flaws is their best bet for gaining access to an organization.
According to a 2019 survey by Forrester, almost half of the security decision-makers who have experienced an external attack first-hand confirm the breach was carried out through the exploitation of a software vulnerability.
The State of Application Security, 2020 report confirms this and more. Embedding security earlier in the process and ensuring that process is proactive rather than reactive is one of the most reliable ways to strengthen your security posture. And it will certainly make your business more competitive.
Time to start earlier
If done consistently, addressing known vulnerabilities and risks in applications—and the infrastructure they run on—will address and mitigate most cyberattacks. But there’s still one important problem. Most organizations only focus on security within certain phases, or vertical “slices,” of the SDLC. Instead, businesses today must find ways to prioritize and evolve application security by “shifting left,” baking security into the development process from the start, and carrying that vigilance throughout every phase of building.
Puppet’s 2019 State of DevOps Report shows only 14% of organizations fully integrate security throughout the SDLC. Instead of gaining a broad understanding of the software development workflow, and how to seamlessly integrate into it, security teams are often busy implementing controls to deal with threats. But this selective “pick and choose” approach to security ultimately leaves organizations with an incomplete view of risk—and more vulnerabilities.
Forrester imparts some good news
Three key areas indicate the tide of application security may be turning, as organizations continue to adopt testing approaches aimed at enhancing visibility and improving overall code quality. Let’s look:
- Container Security Adoption Sees an Uptick: Forrester tells us, the focus on container security will “move toward the development and design phases,” which means security will be examined at all stages of the SDLC. Over the next year, 37% of security experts plan to work container security into development, while 20% plan to implement it during design. This means overall investment in container security is a smart decision for professionals looking to integrate security sooner.
- Software Composition Analysis (SCA) Creeps into Development: As we know, SCA in the early stages of the SDLC can protect applications from open source vulnerabilities and licensing issues. While 31% of decision-makers are currently implementing SCA in the development phase, this number climbs to 37% over the next 12 months, as more professionals also plan to adopt SCA in development.
- IAST Outpaces DAST in Prerelease Testing: Forrester’s findings suggest interactive application security testing (IAST) in the development phase is finally becoming a legitimate alternative to dynamic application security testing (DAST). And next year, there will be a significant uptick in the number of global security execs implementing IAST in the development phase, surpassing DAST entirely. This new reliance on IAST will help DevOps shift left sooner in the development process while also rendering their security findings more actionable.
These numbers are reassuring. The 2020 report states, “Getting security to match developer speed demands integration at all phases, and firms must move faster at pushing prerelease testing earlier in the SDLC.” The truth is evident, and CISOs are listening.
Application security starts now
At ZeroNorth, we believe this move towards more continuous security is a big step in the right direction. Because applications are still the weakest link in security, it’s never too early to address the management of their vulnerabilities. Embedding security from the start of the process enables organizations to take a more proactive approach by discovering and remediating critical code and application vulnerabilities as soon as possible. It makes perfect sense. Catching these software bugs and flaws before applications are delivered to the production environment can help teams maintain speed, meet release objectives and avoid costly delays.
Not only does this proactive approach to strengthen overall security, but it also gives organizations a competitive advantage by enabling the delivery of better products and services to market—at a faster rate.
The ZeroNorth platform enables companies to improve application security by orchestrating the vulnerability discovery process, as well as the various security scanning tools organizations use. This capability integrates the many different commercial and open source security scanning tools needed to achieve this goal. Orchestrated discovery allows businesses to actually correlate and use the high volume of output data generated by scanning tools, actionable information that otherwise becomes too onerous and unwieldy for teams to manage manually.
By consolidating security issues, prioritizing risk based on business context and integrating back into developer workflows through existing tools, ZeroNorth also speeds remediation. Our approach to vulnerability management and discovery, across applications and infrastructure, empowers businesses to assess the criticality of their posture with real data, bringing them ever-closer to truly secure DevOps. This level of professional alignment between operation and development teams, fondly known as DevSecOps, remains a determining factor in the overall strength of application security.
Download your copy
Download your complimentary copy of The State Of Application Security, 2020 to explore vertical-specific trends, learn about testing security earlier in the SDLC, understand automation’s increasing role in remediation—and more. Feel free to contact us at ZeroNorth to learn about our capabilities for application vulnerability discovery.