Application Security has emerged over years both as a market as well as a technology. Some of the key drivers had been the explosion in the number of applications (web and mobile), attacks moving to the application layer and the compliance needs. Following are the key Application Security Trends which we believe the industry will observe during the year 2016.
1. Beyond Tools - Build Application Security Program
As an industry mature organizations shall look at Application Security not as technology and tool problem but as a Holistic Program. BSIMM lists out more than 100 elements of application security program that is observed in more in 78 participating organization
2. Hacking of Everything shall be on rise: Internet Of Things (IOT), Cars, Air Planes and more
With more of adoption of Internet Of Things (IOT) and not so secure practices by the startups, we will see a surge of Internet Of Things (IOT) devices getting hacked. Now your camera, light bulb, refrigerator, car or anything that is connected shall be hacked.
3. Security Testing for Continuous Integration and Continuous Deployment (CI/CD)
More and more organizations shall integrate security testing for Continuous Integration (CI) Or Continuous Deployment (CD). Scanning tools shall gradually evolve and mature to support CI/CD
4. Emergence of Run Time Application Self Protection (RASP), Interactive Application Security Testing (IAST) and Real Time Polymorphism tools
RASP (Run Time Application Self Protection) and IAST (Interactive Application Security Testing) is being aggressively promoted by vendors. This year shall be more of the year of awareness with potential mainstream adoption being at least 2 years away. Both RASP and IAST has it's strengths and weakness and time will say whether they will win. Real Time Polymorphism has the potential but has slow adoption until now.
5. Third Party Vendor Risk Management shall become more important
Increasingly more number of organizations will ask for Penetration Testing report for applications developed by third party to manege Vendor Risks. Acceptance criteria shall not just have the functional but also the security aspects.
6. Higher due diligence before adopting new cloud solution
Most of the larger enterprises shall ask for third party pen test report or more thorough due diligence before they adopt a cloud solution. Especially the newer Software As A service (SaaS) or Cloud solution providers have to provide pen test report as a part of the sales process.
7. Dynamic Application Security Testing (DAST) will remain the most popular form of testing with Static Application Security Testing (SAST) playing the catch up game
DAST (Dynamic Application Security Testing) had been the primary mode of application security testing and will continue to be so. It is the easiest to adopt and gives exactly the perspective of an external attacker who will not have access to your code. For Web based Applications there is resistance towards providing binaries or the code. However for mobile apps organizations are more willing to provide the binary for the client side application. This shall be one of the drivers for higher adoption of SAST (Static Application Security Testing).
8. Customers will ask for a combination of Tactic Application Security Testing (SAST) & ynamic Application Security Testing (DAST) especially for Mobile Apps
Though organizations understand the importance of combining SAST and DAST, it is the mobile App testing which shall drive higher adoption for this. More security sensitive organizations at a higher maturity level shall conduct SAST and DAST together. DAST will continue to be the first most important type of testing.
9. Large organizations will scan more than 80% of their portfolio applications at least once a year
Large organizations with more than 100 apps will strive to test more than 80% of their applications at least once a year. Testing all the apps shall be one of the priorities of the Chief Information Security Officers (CISO).
10. Application hacking incidents shall rise with the need for mature response program
Last year had been the year of hacks for big companies. 2016 shall be no different. Apart from detection and prevention, the industry shall need mature breach response program. No matter what you do - Hack happens.
11. Jobs for Application Security will be more than ever before and would continue to grow
The industry has a severe shortage in terms of the number of application security testers. There are higher number of jobs than the available eligible professionals. Few of the major trends in terms of ethical hacking as professions is available in this blog- Click Here
12. Majority of Large organizations shall outsource their Application Security Testing
Large organizations shall not be able to manage application security testing due to shortage of available talents and management overhead. Most of the large organizations shall outsource application security testing as a continuous program.
13. Organizations will move toward continuous/regular vulnerability management program
Organizations have understood that one time or sporadic testing is not enough. The industry has understood the importance of continuous or regular testing and the criticality to adopt it as a management program.
14. Integration of Vulnerability management program with Security Information & Event Management (SIEM) Or Web Application Firewall (WAF)
The industry shall see higher number of integration of vulnerability management program and the preventive solutions like Security Information & Event Management (SIEM) Or Web Application Firewall (WAF). This shall become one of the criteria of choosing the vendors for security testing.
( Watch More: Webinar on "Defusing Cyber Threats Using Malware Intelligence" )
15. Difficult to detect but more dangerous Logical Vulnerabilities
The importance of Logical Vulnerabilities in application security testing is one of the less spoken topics by the security testing product vendors. Most of the security testing products or cloud solutions are unable to cover this. Logical vulnerabilities are the most critical and difficult to detect. The mature organizations shall ask for Business Logic testing as a mandatory requirement.
16. Changing the habit of coders
Just awareness is not enough. Think of the number of us who know about the importance of exercise but how many can do it. We need habit forming tools and products to embed secure coding behavior right at the time somebody types out a function. Testing is too late to enter the game.