5 key app sec trends for 2021: The shift is on for software teams – TechBeacon

For many companies, 2020 was about accelerating their move to the cloud. The pandemic drove a dramatic expansion of remote work, developers focused more on cloud-native deployments, and application security teamshad to adapt to a change in usage and, often, greater demand.

In 2021, many of those seeds will take root. Businesses that accelerated digital transformations will need to secure their infrastructure, developers working remotely on cloud-native applications will have more integrated security in their coding environments, and applicationsecurity teams will be tasked with facilitating faster development cycles, rather than just finding vulnerabilities.

Overall, expect more security, automation, and coding throughout the development and deployment process, said Mike Ware, senior director of technology for Synopsys, a software-security company. Rather than just shifting security leftward to the developer, security will become a part of every piece of infrastructure, he said.

"The notion of 'shift left' will rapidly become a philosophy of 'shift everywhere.' It is not that we are going to stop moving left;we have to move security left. But we need to shift a lot of responsibilities right as well."Mike Ware

While DevOps has broken down some barriers between developers and application security teams, the future will be about more tightly integrating security into developmentand making sure that security focuses on how to produce secure applications. Teams that only focus on finding bugs will continue to slow development, and that will undermine application security in the future, saidSandy Carielli, principal analyst with analyst firm Forrester Research.

Companies will have to broaden the bailiwick of the application security teamit's no longer just about applications, but about APIs, containers, and low-code/no-code services, she said.

Here are five trends your app sec team shouldexpect in the next year.

Digital transformation took over the conversation in 2020. While many companies had focused on moving to the cloud, adding automation, and using software-defined infrastructure to drive their business and operations at the start of the year, the coronavirus pandemic forced most of them to accelerate their plans.

About seven outof every eight executives intended to make their company's operations and infrastructure cloud-native, with about the same share also committing to greater use of containers for application development and deployment, according to a survey conducted by financial giant CapitalOne.

These mandates and realities have trickled down to developers and security teams, especially as remote work has expanded. Existing silos between the groups can slow development and the resolution of security issues, so the pressures have increased to knock those walls down, said Dan Cornell, a principal at the Denim Group, a software-security consultancy, who notedthat about 30% of employees at his firm have never set foot inside theoffice.

"We are seeing the collaboration capabilities of the tooling becoming more important. Because you can't walk down the hall and peek over the cubicle walland ask how something works, teams need better ways to communicate."Dan Cornell

In 2021, security programs will focus more on integrating tools that help developers avoid the mistakes that lead to vulnerabilities, rather than just detecting the software flaws leading to those vulnerabilities, said Martin Knobloch, global application security strategist for Micro Focus.

In the past, the tools typically used at the end of the development cyclestatic application security testing (SAST) and dynamic application security testing (DAST) scanners, for examplehave not been about making the application better, but about finding all the security mistakes, he said. Rather than finding ways to make applications more secure, most of the tools have focused on detailing what's wrong.

Yet, as security becomes more focused on working with developers, such programsbecomeblockers,said Knobloch, who callsthem "bad-o-meters."

"Who has to write the code? The developers. Who has to fix the code? The developers. What we are moving toward is tools for code quality used by developers, and not security tools."Martin Knobloch

Similarly, he said, penetration tests and pen-testing tools will increasingly inform the threat model that can be used to guide developers, rather than just focus on finding ways to break the applications and circumvent security.

Denim Group's Cornell agrees.

"It is hard enougheven when you know the resolution pathto get developers to fix stuff. When you don't know the resolution path, then you are just increasing the amount of badness that you see in the system, you are not actually fixing the application."Dan Cornell

With the expansion of DevOps and infrastructure as codefrom containers to serverless computingover the past five years, security has increasingly become part of the code as well. A great deal of software is based on building blocks, most commonly open-source components, that may not be instantiated until runtime, so security checks have to be built in, said Synopsys'Ware.

An application's security configurations for development, test, and production environments are often the purview of the developer, but more application security teams are also producing code to be included in the application at each stage as well.

"We are certainly seeing more and more software security initiatives focused on DevOps cultures. Software security teams in those groups are having to write more code, because more security is codemore of that software delivering is software-defined in nature."Mike Ware

The tools used by attackers, red teams, and penetration testers continue to integrate more automation and do a lot of the work for application security audits and penetration tests.

But with the shortageof cybersecurity professionals,automation is over-relied on, and this makes for shallow assessments, said Micro Focus's Knobloch. Moreover, because penetration tests are expensive, most assessments are under significant time pressures: A test typically takes fiveto 10 days, and with a day of setup and a day of reporting, often the actual assessment is relegated to as few as three days, he said.

In the end, penetration testers are often well-trained tool operators rather than security-intrusion specialists, Knobloch said.

"You just can't turn security teams into good tool monkeys. Companies need to look forand developreally knowledgeable pen testers."Martin Knobloch

The use of open-source libraries and components in development is almost ubiquitous, with some 99%of applications having at least one open-source component, according to Synopsys's 2020 Open Source Security and Risk Analysis Report. About onethird of vulnerabilities disclosed in 2019 were in open-source products, according to White Source's 2020 State of Open Source Security report.

Determining which open-source components are secure should be a primary concern for any application security group.

You have to provide the "plumbing" that can determine whether something that you are going to bring inwill pose a risk to the enterprise,said Ware.

"The developers needto be able to select the right tools that they need to create an application, but the security teamneeds to have the plumbing in place to educate them and warn them about security issues."Mike Ware

In the end, companies need to make software not only more secure, but more resilient as well, and that means security groups have to work with developers to create the environment to produce better software, said Micro Focus'Knobloch.

"Most security people have to change. They cannot be a gate that code has to go through to pass, or a security tollbooth: Stop here until you get the results back."Martin Knobloch

Forrester'sCarielli said big challenges are in storefor security teams.

"At the same time that security pros are giving up some of their dutiesfinding and fixing vulnerabilitiesto developers, they have to expand into these other fields. There is an expanding definition of code and what are application tools, and so security pros have to look at APIs, at no-code, and at infrastructure as code."Sandy Carielli

Go here to see the original:

5 key app sec trends for 2021: The shift is on for software teams - TechBeacon