Much has changed in software security over the last year.
Nation state-directed attacks demonstrated the significant danger posed by software vulnerabilities and raised the pressure on developers to secure their software. Attackers used exploits leaked from the National Security Agency (NSA), for example, to spread ransomware, including the costly WannaCry and NotPetya attacks.
A parade of other events highlighted significant weaknesses in the software-development ecosystem. The breach of Equifax because of an unpatched vulnerability in Apache Struts underscored the dangers of slow patching. The compromise of two software programs used to spread malware—Avast's CCleaner management utility and Ukrainian accounting software MeDoc—emphasized the danger of poorly secured development processes.
Alex Hoole, head of software security research for Micro Focus, said change was needed in the software industry.
"Every company needs to analyze their security posture. You really have to look at what the risks are to your industry."
—Alex Hoole
In 2018, software security will continue to change quickly. Here are five key trends industry experts say every security team should track to stay on top of risk.
1. Faster dev cycles equal more security implications
Agile development. DevOps. Continuous integration and continuous deployment (CI/CD) pipelines.
Companies are pushing for quicker turnarounds for their software projects. For application-security specialists used to taking their time to scan software and triage those scans, life will change, said Chris Eng, vice president of research at Veracode.
"[App sec teams] need to get out of the mentality of treating security as a gate. Instead, they need to be increasing automation, increasing workflows, and getting more out of the way of the developers. The developer is really becoming king in these organizations."
—Chris Eng
In search of faster development—and to support developers who are coding quickly—firms will also increase their use of automation. In the same way that Uber's move to self-driving cars will eliminate the need for many drivers, software development teams need to reduce their reliance on hands-on security scanning, said John Steven, senior director of security technology and applied research at security-services firm Synopsys.
"[If] you cannot think of a fully automated way of getting things done, then you will find yourself at a disadvantage in five years."
—John Steven
2. More attacks coming to the software supply chain
With the attack on the CCleaner management utility created by Avast's Piriform and the compromised of the update service for Ukrainian tax-software maker MEDoc, software supply chain attacks have garnered more attention in 2017 as a significant threat to software development shops.
This risk will only grow in 2018, said Chris Porter, chief strategist for security-services firm FireEye. As companies continue to shore up their defenses against direct attack through network connections, indirect tactics will become more popular.
"Attackers will increasingly be thinking, 'If I cannot get into your organization, maybe I can get into an organization that supplies your software. That is really hard to defend against."
—Chris Porter
In response, both software developers and their customers must take steps to secure their software supply chains. Secure software development lifecycles should focus on ensuring the integrity of infrastructure, including managing the use of third-party libraries, and companies should pressure software suppliers to increase security.
"Every company needs to analyze its security posture," said Micro Focus's Hoole. "You have to look at what are the risks to your industry, including in the software supply chain, and take steps to mitigate those issues."
3. Security requirements will expand
Developers must be more cognizant of the growing number of software-security requirements as well. Last August, for example, legislators introduced a bill to force manufacturers to take more responsibility for internet-of-things devices sold to the government.
In Europe, the General Data Protection Regulation will come into force in May, requiring any organization that collects information on European citizens—including U.S. companies—to protect that information in a specific way. Violating the statute could lead to serious fines of up to 4% of the business' revenue.
Companies and their developers should work those requirements into their software now, said Hoole.
"There are two questions they need to ask: Am I compliant? And how do I determine if I'm compliant?" he said. "A lot of companies in the next several months will be trying to figure out the answer to those questions."
4. Code will become increasingly dynamic (and harder to check)
As more software transforms into mobile, cloud, and web applications, the code behind the software is changing as well. In the past, traditional programming languages such as C, C++, Java, and C# have been relatively static, and thus easy to check with source-code analysis.
But today's runtime languages such as Python, Ruby, and JavaScript are dynamically typed and linked, and the code is in at least two pieces between the front-end browser and the back-end server. This makes it harder to cover the entire code base when security scanning, said Synopsys's Steven.
"There is an increasing invisible technical debt that is growing there," he said. "Code is becoming increasingly dynamic, and that is going to frustrate both static and dynamic testing. It is one of those problems that is really invisible to the vendor space."
5. Machine learning will help lighten the security load
In addition to adding automation to help speed development, companies will increasingly rely on machine learning as part of the application-security toolset.
With software more divided and packaged into much smaller entities as it moves toward microservices, the average complexity of each entity is reduced, said Dima Stopel, co-founder and vice president of research and development at cloud-security firm Twistlock. That's where machine learning can help.
"Defending a large number of relatively simple entities is a classic problem for the machine learning approach, he said. "Since the number of entities is large, we cannot rely on manual security configuration and must introduce automation."
By reducing reliance on human memory and on the uneven skills of a group of developers, automation will reduce coding errors. Also, additional security controls—such as behavioral protections for each microservice—can be introduced.
"The fact that each entity is simple makes it possible to effectively learn and enforce its behavior. In fact, this creates a better protection than [we had] before."
—Dima Stopel
How to prepare for 2018
Here are the steps the experts recommend:
- Adopt an agile development methodology that frequently and consistently tests code security.
- Focus on both cloud security and the security of connected devices and the internet of things.
- Solve patch management in 2018; Resolve to do a better job with patch management as well as vulnerability detection.
- Reconsider whether in-depth legacy defense practices apply in the modern era, where software is decoupled from infrastructure.
- Determine and improve the coverage of your static- and dynamic-analysis security tools.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
