In keeping with an all too popular industry practice of producing year end Top 10 lists, at Jemurai we developed a Top 5.5 Application Security Trends for 2018. It is obviously meant to be a little bit fun, given the “Top 5.5” title, but we tried to capture what we think are significant important things to keep in mind.
#1. Continued Framework Level Vulnerabilities
Expect to see additional massive breaches related to framework level vulnerabilities that were slow to be identified and patched (old and new).
- Actively stay up to date on libraries
- Use a mechanism to detect in CI/CD that your libraries are aging
- Commit to maintenance
#2. Innovation Applying Artificial Intelligence and Machine Learning to Security
Expect to see more threat intelligence, smarter intrusion detection, better malware detection, improved identity – all through these technologies.
- If you are very mature and have money, look to these tools.
- If you are not very mature or don’t have money, work on the basics first.
- If you are a security company, figure out where these fit for your tools.
#3. Changes to Static Analysis Market
- Companies will adopt smaller, purpose built static code analysis tools
- Companies will start developing their own tooling to perform checks in a DevOps fashion, especially for their growing cloud environments.
- Commercial tools will continue to have high false positive rates, be too slow to include in developer workflows and will work well with only a few programming languages.
- Think twice before adopting a new static tool.
- Look at the API and make sure it is usable (REST / JSON).
- Leverage open tools to get the basics done and prove a process.
- Teach your developers and ops (DevOps folks) ways to think about security.
#4. Security Engineering
Companies will start to see the value in security libraries for things like:
- Audit information
- Application security signal
- Honey Data
- Customize cloud auditing and assurance
- Look for places where security impacts architecture and consider building reusable component to handle it properly.
#5. Software for Risk and Security Program Management
Just like companies use systems for procurement, recruiting, HR, finance and business flows, companies will start using software to help them manage their risk and security programs.
- Keep an eye out for these. Try to identify your best practices and assess if the tools can help keep programs moving.
#5.5 Some Things That Should Not Be Forgotten Will Be Lost
- Tools are never a panacea but we will increasingly focus on tools.
- Awesome instructor-led hands-on training is expensive and hard to find but worth it. Computer based training is widely hated by developers, but it will grow much faster.
- Authorization is hard and tools don’t find gaps. No advances will be made.
- It doesn’t matter what you find, it matters what you fix. We’ll continue to see a focus on finding problems instead of fixing them.
- People will reuse passwords. This will undermine all sorts of other controls but we won’t see substantial change.