You are here

12 application security tool trends to watch

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Applications have become rich targets for hackers. According to the US Department of Homeland Security, 90% of reported security incidents (PDF document) result from exploits against defects in the design or code of software.

Application security is a major part of protecting companies from threats, because the majority of security breaches are caused by vulnerabilities in the application layer, said Erdem Menges, Product Marketing Manager for Micro Focus Fortify.

Building security into software applications requires tools, but, as with app development itself, the tool landscape is always changing. To stay ahead of those changes, security practitioners and, increasingly, developers need to be aware of the trends in tool development and usage.

Here are 12 key trends to track.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

1. Commercial versions of open-source tools are gaining traction

Open-source tools for application security continue to be popular, but as organizations' security needs become more sophisticated, some have been turning to proprietary solutions or commercial versions of open-source tools.

"Depending on what industry an organization's in, some of these tools have to be upgraded to something that's either proprietary or augmented to be proprietary," said Fleming Shi, CTO of Barracuda Networks, a security, networking, storage, and cloud services company.

Some organizations don't want to deal with the demands of open-source tools. They have a learning curve, and they can be a pain to maintain and manage," Shi said.

"That's why most of the open-source products out there now usually have an enterprise version. It's usually easier to manage and scale, and support is provided for it."
Fleming Shi

Commercial tools are also likely to be further advanced in the automation department, which is attractive to organizations deep into DevOps, continuous integration, and continuous development.

"Open-source tools are unique in that they will take any help they can get when they can get it," explained Frank Downs, director of cybersecurity practices at ISACA, a trade organization for professionals involved in information security, assurance, risk management, and governance.

"We've seen greater implementation of automation and machine learning in the pay-for tools, because there's a financial incentive to implement them."
Frank Downs

That's not to say that automation and machine learning aren't present in open-source tools, too. "There's just a lag there because you're waiting for the free help to show up," Downs added.

2. Better open-source interfaces

Open-source tools can be difficult to use, but many of them are undergoing a facelift, with their user interfaces being modernized. There are also signs of a departure from traditional web services stacks.

There is a move away from the older LAMP stack—Linux, Apache, MySQL, and PHP—to the newer Node JS-based stacks, said Johannes Ullrich, chief research officer at the SANS Institute, a provider of information security training. "It still uses Linux," he continued, "but with a number of different database technologies, with Elasticsearch being particularly popular."

Nevertheless, few companies even consider the user side of the security equation, said Jeff Williams, CTO and co-founder of Contrast Security, a maker of self-protecting software. 

Passwords are the "poster child for getting this balance wrong," Williams added. "But access control, encryption, security configuration, and error messages are also completely unusable."

"We need security defenses that aren’t only strong and can't be bypassed, but also easy for users to properly and reliably operate."
Jeff Williams

[ Application layer attacks are on the rise. Get key takeaways from the 2019 Application Security Risk Report in this free Sept. 25 webinar ]

3. Demand for deeper results from tools

Five years ago, customers were happy with any results a vendor could provide them. As the market has matured, that has changed.

"Because the maturity level of customers is higher than it used to be, they're looking for solutions with deeper analysis and more effective findings."
Erdem Menges

Among other things, customers want vendors to remove false positives automatically, he added, and to find more vulnerabilities in the same code.

4. Gatekeepers are appearing in the CI/CD pipeline

Continuous integration and continuous delivery (CI/CD) of software can sometimes mean security gets trumped by the need to get applications through the pipeline rapidly. To counter that tendency, organizations are inserting security scanning tools in the CI/CD process to reject vulnerable code before it makes it into production.

Shi explained that they scan the code, identify vulnerable behaviors, then push the code back even if it's functional because it's insecure.

"People are starting to put gatekeepers in the CI/CD pipeline."
Fleming Shi

5. Static and dynamic analysis tools are merging

Static analysis of an application's code uses tools to analyze what that code does without running the app. Dynamic analysis examines how the app behaves when it's running. The two forms of analysis have traditionally been performed separately, but now they're starting to merge, largely due to the demands of DevOps.

"The integration of static analysis tools with DevOps tool chains is also getting a lot of attention."
—Johannes Ullrich

Although open-source static analysis tools are improving, that progress hasn't been rapid, said Chris Horn, a researcher with Secure Decisions, an R&D division of Applied Visions.

"They're trying to integrate with the continuous integration portion of DevOps. They're putting APIs on the tools and integrating them into CI pipelines, but the types of vulnerabilities and weaknesses that can be detected haven't been rapidly improved."
Chris Horn

Contrast Security's Williams added that as software development accelerates, the long scan times of static tools are less and less compatible with DevOps pipelines. 

"[The high numbers of false positives] require expert triage that slows down development and pisses everyone off."
—Jeff Williams

Static tools also increasingly struggle with modern applications that leverage huge numbers of libraries, JavaScript in the browser, and server-side APIs, he said.

On the dynamic analysis side, there's a move toward integrating tools such as Burp Suite and OWASP Zap into CI systems.

"Those legacy dynamic tools don't play well with that because they require a person to sit with them and use them."
—Jeff Williams

At the network layer, many of the best tools are open source, Williams added. But at the application layer, there are a few OSS DAST scanners, but no decent SAST, IAST, or RASP tools available.

6. Automated results are integrated into the development lifecycle

Businesses are increasingly asking that security scans be part of the process of building and releasing applications. They want security scans triggered during app development and the results delivered automatically or semi-automatically to a security specialist or back-checking system.

Menges explained that hey're trying to test earlier and more often to find vulnerabilities.

"That integration and automation allows an organization to take care of security defects just as quality and UAT defects are being fixed by its developers."
—Erdem Menges

7. Companies are consolidating their security tools

Many companies, especially mature businesses, have been working with multiple application security vendors. Now, though, they're looking for ways to consolidate vendors by either going to a single vendor or to solutions that can bring multiple vendors under a single pane of glass.

This single view would allow companies "to see their entire application security posture while minimizing their overhead and administration costs, as well as give them a better understanding of the overall risk in their environments," Micro Focus' Menges explained.

That makes integration and providing an ecosystem for multiple application security vendors very critical, because there are very few application security vendors out there who can cover more than one aspect of application security, Menges said.

It's essential for application security tool vendors to provide an open platform and encourage integration with other vendors and other tools, he added.

8. Web application firewalls are getting smarter

Web application firewalls (WAFs) have been around for some time, but now they're starting to get smarter. More of them are gaining the power to tune themselves based on exposure and information from other tools, such as scanners. That's a big plus, since misconfiguring a WAF is a common mistake by organizations.

Results from the scanners should be consumed by the WAF so the WAF can become intelligent, Shi said.

"Once a scanner identifies a problem, a customer should not have to go to a user interface to configure the WAF to fix that problem. Instead, it should all be configured behind the scenes automatically."
—Fleming Shi

9. More cloud security email tools will be entering the market

As most email applications migrate to the cloud, the need continues to grow for tools that better interface and understand cloud-based email systems.

On-premises email is "almost dead," Ullrich said.

"Email security is now often taken over by cloud vendors, but APIs and tools will start to emerge to allow more control over cloud-based email threats."
—Johannes Ullrich

Email isn't the only area where the tools of cloud providers will be making security inroads, said George Gerchow, CSO of Sumo Logic, an analytics company focusing on security, operations, and business information.

"[Cloud service providers are] creating these great solutions that are baked into their infrastructure that are easier to use, easier to maintain, and less expensive."
George Gerchow

10. We're getting smarter about when to use tools

Organizations are learning more about when to use tools in the application development pipeline. They might use a tool such as ReSharper to take a first pass at their code to identify obvious flaws. Then another tool might be applied when the app is being committed to a source-code management system. Once the code is merged with the management system, there are usually nightly builds.

"That's a place where you can add much more rigorous and in-depth testing because it's being run overnight."
—Chris Horn

Extensive analysis can also be conducted at the testing and acceptance stage of the development cycle, he added.

11. Active monitoring apps are gaining popularity

More active monitoring applications are starting to enter the market. These applications sit in front of other apps and protect them from attack as they're running. Some of the apps use RASP—runtime application self-protection—technology, which allows them to protect themselves through reconfiguration on the fly without human intervention when confronted with potential threats.

"This is part of a trend that's trying to work with event stream data to protect applicationn. The big advantage of RASP is you don't have to modify your source code."
—Chris Horn

That's especially attractive to companies with a raft of legacy apps that would need to be rewritten to address security problems.

"Real-time checks can be put on data coming into your applications at runtime so you don't have to modify your application to deal with malicious payloads," Horn said.

Williams added that there's a promising technology called IAST—interactive application security testing—that combines the best of dynamic and static application security testing.

It also blends library analysis, runtime analysis, configuration analysis, and back-end analysis into a single agent that runs as part of the application being tested, he explained.

There are many advantages of running inside the application being tested, because much more information is available compared with external SAST and DAST, Williams said.

"[IAST] provides real-time feedback, is much more accurate, and covers more types of vulnerabilities than legacy tools."
—Jeff Williams

12. Tools are automating some pen testing

Organizations have begun using a number of tools that automate some of the tasks previously performed by pen testers. The tools are very specific. For example, they may hammer a SQL database with attacks to discover vulnerabilities. But they're no substitute for human pen testers.

"Most organizations will continue to rely on manual pen testing because people are creative, and you want to make sure humans aren't going to figure out a way into your system," Horn said.

"[The automated pen tests are valuable] because you don't want to pass an application to human pen testers that's full of obvious vulnerabilities. They'll just waste their time finding easily detectable stuff, and that's not what humans are good at. They're good at creative problem solving."
—Chris Horn

Be ready for the changes

The overarching trend for the application security tool of the future will be ease of use, Williams said.

"Successful tools are the ones that can be used by anyone—even a novice developer. The era of security tools for security experts is over. There just aren't enough security experts to get the job done."
—Jeff Williams

[ Get Report: Gartner Magic Quadrant for Application Security Testing 2019 ]