03 Mar Application Security Report 2017
Application Security Report
A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES
Q1 2017
The Application Security Report — sponsored by Code Dx — provides software development and application security trends, statistics, best practices, and resources for chief information security officers (CISOs) and IT security staff. Download a PDF version of the report here.
SOFTWARE CODE SECURITY
Hybrid app security tools will gain traction in 2017
Menlo Park, Calif. – Dec. 12, 2016
Applications have become inviting targets for malicious actors but securing those programs has proven to be challenging to both security teams and developers. Too often, key vulnerabilities get buried in a blizzard of information created by tools unable to prioritize defects in software.
That will be changing in the coming months as organizations look to solutions that combine Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to effectively harden applications against attack.
A key technology in this new hybrid approach to application security will be RASP — Runtime Application Self-Protection. RASP was created to protect applications under attack in real time, but, when combined with dynamic testing, it has proven to be useful in helping developers prioritize vulnerability findings. That not only reduces the risk of an app making it to market with a major security defect but it accelerates the time it takes to put a secure app in a user’s hands.
The growth, maturation and adoption of RASP, along with the creation of platforms that combine SAST and DAST into unified hybrid testing solutions will contribute to the explosive growth of the app security market in the coming years — from $2.24 billion in 2016 to $6.77 billion in 2021, according to one estimate.
Indeed, the growth of the application security market will outpace the growth of the cybersecurity market as a whole in the next five years, notes Steven C. Morgan, founder and editor-in-chief of Cybersecurity Ventures. “While we anticipate 12-15 percent year-over-year growth of the cybersecurity market through 2021, our synthesis of various research has led us to expect the application security sector will grow by 16-18 percent during that period,” he says.
“The application attack surface is expanding by billions of lines of software code each year, and organizations are playing catch up when it comes to testing and securing their new apps,” he adds.
Just how large an attack surface are security teams and developers looking at? Secure Decisions, a division of Applied Visions, Inc. (AVI), a developer of visual analytic tools for cybersecurity, estimates that 111 billion lines of new software code is created every year, which includes billions of vulnerabilities.
All those vulnerabilities aren’t created equal, however. Some are more important than others because they are more visible to attackers. That’s why hybrid application testing platforms will be attracting so much attention in 2017.
“They will expose the attack surface of the software — those things that are most visible to the outside attacker,” explains Secure Decisions Director Anita D’Amico.
Hybrid platforms also fit well into the ongoing trend of moving security deeper into the software development lifecycle (SDLC).
That trend was evident in the 2016 SANS State of Application Security report. The report, based on a survey of 475 organizations, found a significant increase from 2014 to 2015 — from 22 to 30 percent — in the number of respondents who indicated their development teams were responsible for security testing.
“Developers in general, and the businesses that employ them, are finally taking this seriously,” says Frank Zinghini, CEO of Applied Visions.
“The number of high-profile attacks continues to grow, and is too much to ignore,” he continues. “Developers know now that it’s only a matter of time before they become targets, if they haven’t become targets already.”
Outside forces are also pressuring companies to tighten up their application security. They need to compy with more standards — DISA STIG, PCI, HIPAA, just to name a few. Cyber insurance is starting to become a requirement. To get it, you need to meet security standards. Meanwhile, the federal government is demanding software assurance from contractors doing business with it.
“What companies are realizing is they have to do this because the business model is demanding it,” D’Amico says.
That realization is new for developers, who, in the past, found security an obstacle to meeting their goals of getting cool software out the door as fast as possible.
When developers take more responsibility for application security, though, security teams can be less of an irritant because fewer security flaws are reaching them so the volume of flaws developers are asked to fix drops.
In that regard, hybrid security testing can be useful, too, because it identifies the really important vulnerabilities and doesn’t waste a developer’s time with minor problems or problems that aren’t problems at all, a/k/a false negatives.
As hybrid testing takes hold in the coming year, expect its development to go hand in hand with increased automation. Scanning billions of lines of code and trying to remediate flaws in them manually won’t get the job done.
“Automation is critical, because the test and analysis process is so onerous and time-consuming,” Zinghini explains.
“The perceived development delays introduced by secure practices is causing customers to demand improvement from tool vendors,” he says, “and the only way to improve the situation is to take the humans out of the process as much as possible.”
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.