In keeping with an all too popular industry practice of producing year end Top 10 lists, at Jemurai we developed a Top 5.5 Application SecurityApplication security is the protection of software applications from cyber threats and vulnerabilities. Policies are established to guide the development and deployment of applications in a secure manner. Procedures are created to detail the steps necessary to secure applications and to ensure that policies are consistently followed. Training is provided to developers and other personnel to ensure that they understand the policies and procedures and are able to apply them effectively. By implementing policies, procedures, and training in SPIO, organizations can reduce the risk of cyber attacks on their applications and protect sensitive data from theft or damage. Trends for 2018. It is obviously meant to be a little bit fun, given the “Top 5.5” title, but we tried to capture what we think are significant important things to keep in mind.
#1. Continued Framework Level Vulnerabilities
Expect to see additional massive breaches related to framework level vulnerabilities that were slow to be identified and patched (old and new).
Recommendations:
- Actively stay up to date on libraries
- Use a mechanism to detect in CI/CD that your libraries are aging
- Commit to maintenance
#2. Innovation Applying Artificial Intelligence and Machine Learning to Security
Expect to see more threat intelligence, smarter intrusion detection, better malware detection, improved identity – all through these technologies.
Recommendations:
- If you are very mature and have money, look to these tools.
- If you are not very mature or don’t have money, work on the basics first.
- If you are a security company, figure out where these fit for your tools.
#3. Changes to Static Analysis Market
Expect that:
- Companies will adopt smaller, purpose built static code analysis tools
- Companies will start developing their own tooling to perform checks in a DevOps fashion, especially for their growing cloud environments.
- Commercial tools will continue to have high false positive rates, be too slow to include in developer workflows and will work well with only a few programming languages.
Recommendations:
- Think twice before adopting a new static tool.
- Look at the API and make sure it is usable (REST / JSON).
- Leverage open tools to get the basics done and prove a process.
- Teach your developers and ops (DevOps folks) ways to think about security.
#4. Security Engineering
Companies will start to see the value in security libraries for things like:
- AuditA cyber security audit is an independent evaluation of an organization's information systems, policies, and procedures to assess their compliance with relevant security standards and regulations. The audit typically involves a thorough review of the organization's security and risk management processes, and incident response plans, as well as an assessment of its ability to prevent, detect, and respond to cyber threats. information
- Application security signal
- Encryption
- Honey Data
- Customize cloud auditing and assurance
Recommendations:
- Look for places where security impacts architecture and consider building reusable component to handle it properly.
#5. Software for Risk and Security Program Management
Just like companies use systems for procurement, recruiting, HR, finance and business flows, companies will start using software to help them manage their risk and security programs.
Recommendations:
- Keep an eye out for these. Try to identify your best practices and assess if the tools can help keep programs moving.
#5.5 Some Things That Should Not Be Forgotten Will Be Lost
- Tools are never a panacea but we will increasingly focus on tools.
- Awesome instructor-led hands-on training is expensive and hard to find but worth it. Computer based training is widely hated by developers, but it will grow much faster.
- Authorization is hard and tools don’t find gaps. No advances will be made.
- It doesn’t matter what you find, it matters what you fix. We’ll continue to see a focus on finding problems instead of fixing them.
- People will reuse passwords. This will undermine all sorts of other controls but we won’t see substantial change.
