What is Application Security (AppSec)? Defined, Explained, and Trends
Chief Technology Evangelist
June 14, 2022
Applications security (AppSec) covers the lifecycle of an app development process from its inception through coding and into production, otherwise known as the Software Development Lifecycle (SDLC). However, application security goes a step further and includes the systems used to protect the app, post-production into deployment, and use. Application security measures include hardware, software, and procedures to mitigate potential security vulnerabilities and attack points. Examples of security measures include an internet router, firewall, encryption, and authentication. We've teamed up with Arrow to break down what is application security, the processes, and trends you should know about.
Why is application security important?
Cybersecurity incidents are overwhelming, with 93% of organizations experiencing a data breach in 2020-2021. Cybercriminal activity typically involves a chain of attack methods that exploit humans and software applications. Vulnerability in applications allows cybercriminals to install malware, steal data and login credentials, and take control of an organization's network and applications.
Application flaws are recorded by the NIST National Vulnerability Database (NVD). In the three months leading up to June 2022, the NVD recorded 6,151 application vulnerabilities. In addition, an analysis of web application vulnerabilities found that around 1-in-10 internet-facing applications had "high or critical risk" flaws. Unless addressed, these application vulnerabilities will enable cybercriminals to attack.
What type of application security technologies are there?
Because of the importance of identifying and fixing application vulnerabilities, several technologies have entered the application security landscape:
Application security testing solutions
Application security testing (AST) is used to locate security vulnerabilities and ensure that applications are protected against common security threats. AST comes in several flavors, including:
Static application security testing (SAST)
Static application security testing or white box testing is used to test static source code.
Dynamic application security testing (DAST)
Dynamic application security testing or black box testing is used to inspect code during runtime.
Interactive application security testing (IAST)
Interactive application security testing combines DAST and SAST to help locate a broader range of vulnerabilities.
Software composition analysis (SCA)
Software composition analysis creates an inventory of third-party and open-source used to develop an application. This is important as a study found that 96% of applications contain open-source code.
Runtime application self-protection (RASP)
Runtime application self-protection analyzes application traffic and user behavior at runtime to detect cyber threats.
Mobile application security testing (MAST)
Mobile application security testing combines static and dynamic testing of mobile apps.
Application security protection solutions
These are specialist tools designed to protect applications and associated APIs across any IT infrastructure, including the cloud. There are a variety of different types of application security protection solutions. Examples include API security, web application firewalls (WAF), and cloud native security tools.
Application security services
Specialist companies offer a complete lifecycle of services to help businesses build secure applications. Application security services typically cover application design and application code review and assist in secure application development. In addition, application security service vendors will conduct security assessments to identify vulnerabilities and offer mitigation and remedies.
What are the application security trends and disruptions?
The discipline of DevOps (Development + Operations) has improved the speed and agility of software development. But the security of applications is a complicated, multi-variable issue. This has led to several crucial trends in the industry:
Shift left security
The sooner vulnerabilities are spotted, the better. In the past, testing for application vulnerabilities tended to happen late in the software development lifecycle (SDLC). The result was bottlenecking that slowed down production. The notion of Shift Left Security pushes the identification of security flaws in the SDLC into earlier stages of the development process. In other words, during the development timeline, testing for application vulnerabilities moves towards the far left of that line.
DevSecOps has also been driven by the era of microservices and containers that enables rolling releases and agile development. DevSecOps (Development + Security +Operations) is an evolution of DevOps that deeply integrates security into the fast release cycles inherent in DevOps. As the release of software speeds up, security flaws can creep in. DevSecOps provides the discipline, ensuring that security is part of the development lifecycle.
Cloud native applications
Cloud-native applications are built for a distributed cloud computing environment. Cloud-native applications have many benefits, including being independently managed and deployed, resiliency to outages, and ease of development and deployment. They can have zero downtime when running in Kubernetes.
Automation in development
The SDLC has several steps taking software through planning to release and maintenance. Multiple developers and testers are usually involved in the SDLC. Automation of the various procedures in the SDLC helps to remove inaccuracies between parties and maintain higher-quality code. In other words, automation helps to maintain a standard and accurate process. Several disruptions are creating change in the development automation space:
Application security testing trends
Software Composition Analysis (SCA)
Open-source code is widely used in the development of applications. But open-source is an unknown and can contain security vulnerabilities that are unwittingly added to an application. SCA tools are used to identify software flaws in open-source code packages. Two companies disrupting the space are Snyk and Whitesource. The Snyk SCA platform automates fixes in open-source as they are added and before they create flaws in an application. Whitesource has recently changed the company name to Mend. Mend SCA is a platform that spots software vulnerabilities and quickly and automatically remediates them.
Infrastructure as Code (IaC) Security
Cloud infrastructure comprises several components, including servers, load balancers, databases, container clusters, etc., each becoming part of the development process. Infrastructure as Code (IaC) uses software code to automate the provisioning and manage this infrastructure. IaC security embeds security into the code and processes associated with IaC to detect and prevent cloud configuration issues. This process uses automatic scanning to detect and remove security flaws. Disruptive forces in the sector are Oak9 and Bridgecrew. Oak9 provides the tools to fix gaps in security before deployment into production. Bridgecrew uses automation to detect security issues in code before deployment.
Application Security Orchestration and Correlation (ASOC)
ASOC uses workflow automation tools to streamline vulnerability testing and remediate vulnerabilities. These ASOC tools increase DevSecOps efficiency and effectiveness. Disrupters in the space are Vulcan Cyber and Orchestron. Vulcan Cyber ASOC is a highly scalable orchestration platform that automates and tracks the cyber risk and remediation lifecycle across the SDLC. Orchestron is a dedicated ASOC platform that utilizes 30 vulnerability risk databases to spot flaws early.
Application Security Posture Management (ASPM)
You can't protect what you can't see. ASPM provides a way to make visible application assets across any infrastructure. Enso Security and Bionic are disrupters in this space. Enso Security delivers an at-a-glance dashboard to allow security teams to see application assets to provide the intelligence to coordinate people, tools, and processes in app development. Bionic scans an organization's entire application ecosystem to identify risks, vulnerabilities, and misconfigurations.
Application security protection trends
Application Programming Interfaces (APIs) have revolutionized how services and apps work. An API allows different programs to communicate to build the functionality that enhances and enables apps. However, this interface is the ideal attack point for hackers, and traditional security measures cannot contain these threats. A recent survey found that web application firewalls (WAF) and API gateways miss 90% of cyber-attacks. Noname Security and Traceable are making waves in the field of API security. Noname security provides 'shift left' API security testing to catch vulnerabilities early. Traceable provides API visibility and locates security 'hot spots' to improve security.
The discipline of DevOps is based upon the notion of Continuous Integration/Continuous Delivery, known as the CI/CD pipeline. This pipeline merges IT with development and is the basis for software delivery into production and beyond. Every part of the SDLC is handled across the CI/CD pipeline, from planning to coding/building to deployment and maintenance. Because of the critical nature of the CI/CD pipeline, robust security is vital. CI/CD pipelines require security integrated into all the critical steps of the pipeline. Apiiro and Cycode are disrupting the secure CI/CD pipeline space. Apiiro takes a proactive approach to fix security risks in cloud-native apps using the deep discovery of APIs preventing supply chain attacks. Code enforces and governs security policies across the entire CI/CD pipeline.
Automation of security attacks requires an automated solution such as a bot. Automated bot attacks are behind increased cyber-attacks against enterprise targets. Bots are highly distributed and designed to evade detection. Two companies that have developed solutions to automated bot attacks are Reblaze and PerimeterX, which offer next-generation bot mitigation. Reblaze uses multiple layers of bot detection, including behavioral analysis, to detect bot activity. PerimeterX also uses behavioral monitoring to detect evasive bots.
CNAPP brings multiple security technologies together under a simplified architecture: CNAPP reduces the cost and complexity of individual disparate security solutions. In addition, CNAPP helps with the challenges of a cloud-native ecosystem, such as visibility, accumulation of risk across comprehensive app and vendor ecosystems, and the need to add security to all components of the SDLC and CI/CD pipeline. In the CNAPP space, two vendors, Lightspin and Tigera, are making waves. Lightspin supplies 'graph-based cloud security' to detect vulnerabilities and provide the development team Infrastructure as Code (IaC). Tigera uses a zero-trust approach to reduce the attack surface across all cloud-native apps.
What priorities are CXOs focused on within application security?
Securing critical applications is essential in protecting data and the broader enterprise. Therefore, several key priorities should be on the CXO watchlist for the near to medium term:
Skill shortage and secure code training
The skills shortage in software development is affecting all industries. Surveys show that around half of companies are struggling to recruit software developers. An area that challenges software developers is the principle of secure coding during development. Ensuring that software code is free from vulnerabilities is critical in creating robust applications. But developers are not necessarily trained in developing secure code. Focus on offering secure code training programs to ensure your developers understand the importance of practicing secure coding as explained in the OWASP Secure Coding Practices-Quick Reference Guide.
Managing and responding to critical security vulnerabilities such as log4j
Having skilled people and the right tools to detect and respond to critical vulnerabilities will challenge all companies in the coming years. Vulnerabilities such as the Log4Shell vulnerability in the logging tool Log4j have shown how critical this challenge is. Millions of companies use Log4j. The Log4Shell vulnerability allows attackers to control computers and install malware, such as ransomware, remotely. These wide-ranging and impactful vulnerabilities will likely occur if software developers utilize open-source and a more component-wise development cycle. As a result, CXOs must prioritize secure coding and have robust management and response plans in place for third-party software. CNAPP and the various security testing tools can help manage these threats.
Implementing shared responsibility models between development and security teams
Cloud computing has made appropriate sharing of responsibility important in ensuring that security is handled correctly. The cloud shared responsibility model, for example, is a framework that sets out who is responsible for security tasks, the cloud provider or the enterprise. This shared security responsibility model should determine which teams are responsible for what parts of the SDLC. Using this shared responsibility model, the SecDevOps mode of working ensures that each section deals with its domain area of knowledge:
Developers: create secure code and use security testing tools before releasing software into the CI/CD pipeline.
Security: work on investigations and implementation of security policies.
Operations: focus on CI/CD pipeline security controls.
Securing Integrations with third parties such as partners, vendors, and open-source code
In recent years, attackers have taken advantage of third-party software as a supply chain attack mechanism. As a result, CXOs must view the security of third-party software integration and open-source code as a critical area of focus. Visibility across the supply chain and open-source supply is a core enabler of security vulnerability mitigation. API security solutions and CNAPP platforms can help make the software supplier and API ecosystem visible.
Managing misconfigurations of application infrastructure
Misconfiguration of security settings - using default passwords, for example - opens the door to cyber-attackers. These misconfigured security settings are used to gain entry to the application stack and the wider corporate network. In addition, misconfigurations can cause severe data leaks: the US Army Intelligence and Security Command, for example, stored top-secret database files in an Amazon S3 bucket without applying robust authentication. Therefore, CXOs must prioritize the mitigation of misconfigurations across the application infrastructure and research the use of options such as IaC, which prevents misconfigurations by remediating vulnerabilities during development.