In keeping with an all too popular industry practice of producing year end Top 10 lists, at Jemurai we developed a Top 5.5 Application Security Trends for 2018. It is obviously meant to be a little bit fun, given the “Top 5.5” title but we tried to capture what we think are significant important things to keep in mind.
#1. Continued Framework Level Vulnerabilities
- Expect to see additional massive breaches related to framework level vulnerabilities that were slow to be identified and patched (old and new).
- Actively stay up to date on libraries
- Use a mechanism to detect in CI/CD that your libraries are aging
- Commit to maintenance
#2. Innovation Applying Artificial Intelligence and Machine Learning to Security
- Expect to see more threat intelligence, smarter intrusion detection, better malware detection, improved identity – all through these technologies.
- If you are very mature and have money, look to these tools.
- If you are not very mature or don’t have money, work on the basics first.
- If you are a security company, figure out where these fit for your tools.
#3. Changes to Static Analysis Market
- Companies will adopt smaller, purpose built static code analysis tools
- Companies will start developing their own tooling to perform checks in a DevOps fashion, especially for their growing cloud environments.
- Commercial tools will continue to have high false positive rates, be too slow to include in developer workflows and will work well with only a few programming languages.
- Think twice before adopting a new static tool.
- Look at the API and make sure it is usable (REST / JSON).
- Leverage open tools to get the basics done and prove a process.
- Teach your developers and ops (DevOps folks) ways to think about security.
#4. Security Engineering
- Companies will start to see the value in security libraries for things like:
- Audit information
- Application security signal
- Honey Data
- Customize cloud auditing and assurance
- Look for places where security impacts architecture and consider building reusable component to handle it properly.
#5. Software for Risk and Security Program Management
- Just like companies use systems for procurement, recruiting, HR, finance and business flows, companies will start using software to help them manage their risk and security programs.
- Keep an eye out for these. Try to identify your best practices and assess if the tools can help keep programs moving.
#5.5 Some Things That Should Not Be Forgotten Will Be Lost
- Tools are never a panacea but we will increasingly focus on tools.
- Awesome instructor led hands on training is expensive and hard to find but worth it. Computer based training is widely hated by developers, but it will grow much faster.
- Authorization is hard and tools don’t find gaps. No advances will be made.
- It doesn’t matter what you find, it matters what you fix. We’ll continue to see a focus on finding problems instead of fixing them.
- People will reuse passwords. This will undermine all sorts of other controls but we won’t see substantial change.