Everyone knows application weaknesses and software vulnerabilities continue to be the most common avenue for exploit. And this recent Forrester report, The State Of Application Security, 2020, confirms it. These independent findings indicate, as organizations shift more workflows and resources to the Cloud, cybercriminals appear to be doubling down on their attack methods. This assertion is bolstered by information suggesting web application attacks have increased twofold within just a year—and now account for 43% of all breaches.
As we wrap up our six-week deep dive into Forrester’s 2020 findings on the state of AppSec, it’s time to think more seriously about the importance of securing applications and infrastructure. As new software continues to drive the business forward with digital transformation initiatives, it will also be worth considering how some organizations are missing the mark. While many businesses today largely understand the critical need for robust AppSec programs, the reality is they are often standing still in this regard, or worse, heading in the wrong direction.
In evaluating application security practices across the software development lifecycle (SDLC), Forrester has uncovered some troubling industry-specific trends:
Financial Services. Despite relentless attacks and high-profile headlines of yet another devastating data breach, from 2018 to 2019, the proportion of global security decision-makers implementing a container security tool dropped by 19%. Additionally, in that time span, there was an 8% drop in the proportion of web application firewall (WAF) implementations, and almost across the board, application security technology usage dipped in financial services.
Retail. From 2018-2019, the proportion of global security decision-makers implementing API security dropped by 9%. Along with financial services, the retail sector reduced application security almost across the board.
Public Sector, Healthcare and Utilities. Security decision-makers in these industries are mostly focused on WAF and penetration testing. While these tools are certainly important, the report notes they need to do more—especially given the volume of customers whose data they collect and store.
Manufacturing and Business Services. With a few exceptions, this sector of organizations hasn’t decreased the proportion of implementation of application security practices, which is great news. But current focus areas are varied and spread thin throughout organizations, indicating uncertainty around risk prioritization.
We believe that these findings from Forrester jibe with those of ZeroNorth in demonstrating the inconsistency of scanning tool deployments. There’s no clear agreement on where to focus risk and security management efforts within the SDLC.
Bad Time for Complacency
Regardless of industry, virtually every business in the world now relies on software to optimize resources, improve customer experiences and drive competitive differentiation. This makes rapid application development cycles a business imperative—but it cannot come at the expense of security.
The full Forrester report, which is available for download, cautions organizations—now is not the time to get complacent. It states, “Building application security seamlessly into the development process has never been more urgent. With many teams forced into sudden remote work situations, security blockers can’t be solved by a walk over to someone’s office.”
Here at ZeroNorth, we couldn’t agree more with Forrester’s call to prioritize application security. As discussed in week one, shifting left to improve visibility is paramount, coupled with week two, where we discuss the need for a more comprehensive vulnerability management program to ensure security remains continuous.
Good Time for Solutions
We believe a risk-based approach to vulnerability orchestration across applications and infrastructure can empower organizations to critically assess their security across the SDLC with real data, gain a comprehensive and continuous view of risk and extend the value of existing scanning tools. This shift in thinking enables businesses to create and manage an automated and consistent software security program, while also pursuing digital transformation initiatives with confidence, like moving to the Cloud or deploying microservices.
But don’t just take our word for it! Here are a few real-world examples of risk-based vulnerability orchestration in action:
- Learn how a leading Fortune 100 manufacturer is leveraging the ZeroNorth platform to centrally manage tens of millions of pieces of vulnerability data and hundreds of thousands of assets—giving them a unified view of risk across global infrastructure and applications.
- See how Bidpath, one of the world’s leading online auction platforms, found a better, more cost-effective construct for security oversight using ZeroNorth. To protect its assets, scale-up security and increase team productivity, the company built a comprehensive software security program to act as a force multiplier, without draining valuable time or resources.
- Discover how this leading telecommunications provider has gained full visibility into coding methodologies and fragmented scanning and testing tools used across the enterprise. In addition to streamlining risk and security management across the SDLC, the provider has improved its ability to meet stringent compliance requirements quickly and effectively.
Ready to strengthen your security posture across both development and operational phases of the SDLC, but not sure how to get started? Watch our 2-minute explainer video and see how you can stand up an application security program—quickly and affordably.
Download the Forrester Report
Download your copy of The State Of Application Security 2020 to explore vertical-specific trends, read more about testing security earlier in the SDLC, understand automation’s increasing role in remediation—and more. Feel free to contact us at ZeroNorth to learn about how our solutions can help you right now.