Rounding the corner into the second half of the year offers a good opportunity for security strategists to reevaluate the state of their cybersecurity plans as they match them with the realities of the threat landscape.
With the fallout reverberating from vulnerabilities such as Log4Shell and Spring4Shell found in the open-source components that make up the backbone of modern enterprise applications, software supply chain issues are top of mind in 2022.
App sec experts, DevSecOps pros, and plenty of software engineering and security champions in between are being called to account for minimizing the risk of third-party vulnerabilities while still managing all the other app sec risks that have long lurked in the software development lifecycle.
To that end, TechBeacon recently caught up with some key women in cybersecurity, in honor of the recent Women in Engineering Day on June 23, to discuss software security trends. These experts—all veterans technologists with expertise across cybersecurity, application security, and DevOps—offered up their prognostications on the biggest app sec challenges we'll face in the next 12 months, the most effective ways organizations can tackle supply chain risks, and their thoughts on how DevSecOps might evolve next year.
SBOMs become imperative
Melissa Bischoping is security researcher and evangelist for Tanium, where she acts as a director and endpoint security specialist. She analyzes emerging threats and malicious attack behaviors every day. One of the most effective things that enterprises can do to tackle supply chain security, she said, is to build a software bill of materials (SBOM).
"While concepts like software inventories and SBOMs are not new, they have never been more top-of-mind for security and dev teams as they are today. Organizations should prioritize real-time awareness of the software, shared libraries, or open source code present in their environment and not rely only on periodic audits. This is not an insignificant level of effort, but putting in the groundwork here will rapidly accelerate your ability to respond to whatever supply chain vulnerability or attack comes next."
—Melissa Bischoping, endpoint security research specialist, Tanium
Automate open-source supply chain validation
As the chief information security officer at Aviatrix, Jenn Reed pulls double duty. She runs the internal security program for the secure cloud platform provider, while also consulting with everyone from product teams to legal to ensure that security policies and standards are met across the firm's technology and services.
Reed said that one of the biggest challenges security leaders face in the coming year is figuring out how to automate the management of open-source software-based supply chain risk.
"Not every OSS project is of the same quality or trustworthiness. In addition, not every public repository is true OSS and should not be trusted. Without proper validation, there is an increased risk of embedded malicious code. Current static and dynamic analysis testing will check for known vulnerabilities, coding best practices, and credential usage, but there is a gap in supply chain validation. There is an initiative by the Open Source Security Foundation to help rate and score the more common OSS vulnerabilities, but integrating those checks into your supply chain can be a challenge and is also only the tip of the iceberg."
—Jenn Reed, chief information security officer, Aviatrix
Supply chain risk extends well beyond open source code
With a decade of experience securing software and analyzing risk, Ksenia Peguero has her finger on the pulse of the kinds of vulnerabilities and misconfigurations that put web applications and enterprise software most at risk. The last few years have brought awareness to the supply chain risks of open-source libraries, she said.
And while that continues, Peguero expects a new supply chain risk to enter the fray: serverless functions such as those provided by AWS Lambda, Azure Functions, and others.
"Many organizations are using these functions, but few keep good track of them, know which team deployed and maintains each function, have company standards for creating these functions, or have continuous security testing of them. I think this is a big elephant in the room that is getting bigger as the cloud services and serverless architectures become more dominant for a lot of businesses."
—Ksenia Peguero, senior manager of research engineering, Synopsys Software Integrity Group
Tighter coupling of security and development
A veteran venture capitalist who focuses on early-stage cybersecurity, DevOps, and cloud-native companies, among others, Pratima Aiyagari said that the application security toolkit has evolved in the past few years. Tools now include more interactive app sec testing and technology such as runtime application self-protection (RASP).
The question now, she said, is how these new tools should fit within an app sec framework that syncs with the software lifecycle. This, in turn, will influence how DevSecOps evolves in the next year and beyond.
"Security is not a separate function within the IT organization; it needs to be tightly coupled with the development organization. Shift-left has been a phenomenon that has been spoken about actively in the security ecosystem, but truly implementing it and having the right tools to start developing every tech product with a security point of view is something I would like to see in 2023. From the first day a product is conceived, the product architect and development teams need to have an effective approach to inject security into the product."
—Pratima Aiyagari, venture partner, Nauta Capital
Automation remains the app sec brass ring
A longtime insider in the app sec vendor world, Sonali Shah has worked as executive, director, and investor at numerous security firms over the last 25 years. Today she's the chief product officer for Invicti Security.
There are two truths in app sec, she said. First, what's secure today might not be so tomorrow. Second, attack methods will keep on changing.
With businesses generating thousands of new applications yearly, those truths "work in synchronicity and contribute to ongoing risk," she said, especially when it comes to the supply chain and knowing which ingredients have gone into every piece of software.
"If organizations don't have a handle on their entire threat landscape and aren't implementing continuous, automated security measures, those lingering risks present a proverbial buffet for threat actors. Looking ahead to 2023, one of the big challenges for many organizations will be finding a balance between speed and security in order to keep up with those evolving threats. This is even more critical as ransomware and supply chain attacks pick up the pace."
—Sonali Shah, chief product officer, Invicti
Misconfigurations and permissive access will remain problematic
A cybersecurity pro with deep cloud expertise, Mindy Schlueter works as principal security architect for Sonrai Security. Her prediction is that application misconfiguration will continue to be big problems for engineering and security teams. There are many facets to that, but a big element of misconfiguration is in the way applications grant access and authorization.
"Lack of knowledge and poor user access controls have always been a challenge in app sec. Access control, or how an application grants access to functions for users, is no longer enough as non-people identities—serverless functions, VM, machine identities—continue to grow in environments. Without proper entitlements and entitlements management, organizations will continue to leave their sensitive information vulnerable to insiders and outsiders who can access applications to steal, manipulate, or delete sensitive data."
—Mindy Schlueter, principal security architect, Sonrai Security
Volume of work is DevSecOps' biggest problem
Anne Saunders is director of cybersecurity partnerships at consultancy Capgemini. She has deep expertise in information technology, with a specific focus on building cybersecurity solutions for complex and regulated market environments. She said one of the biggest challenges for software engineering and security teams in the coming year is the sheer volume of work they'll be asked to do. This includes updating, refactoring, configuring changes, doing API security reviews, and more, for both existing and new applications.
"Without success in this effort, the enterprise needs to be concerned about the integrity of the apps themselves. I see DevSecOps becoming more and more of a foundational domain supporting all others, as opposed to it being looked at and managed as a standalone practice. This could be the start of the transition from DevSecOps to "secure DevOps" as the application and software development industry becomes more security aware and security becomes part of their foundational efforts."
—Anne Saunders, director of cybersecurity partnerships, Capgemini
The recognition that gatekeeping doesn't work with DevSecOps
A longtime mainstay on the DevOps and app sec speaker circuit, Caroline Wong is chief security strategist for Cobalt.io and a tireless evangelist for maturing the cybersecurity industry. She said that the "sobering" truth is that the biggest app sec challenges are the same ones we've faced for the past decade.
Case in point: She said that the OWASP Top 10 was updated in 2021 but hasn't substantially changed since 2003. A lot of that is systemic, and she believes the industry can make better gains in the coming year by embracing the DevSecOps ethos with better collaborative techniques.
"Security folks are changing their approach to working collaboratively with developers and operations teams. Gatekeeping no longer works. We've got to be curious and ask questions and listen and learn how the folks who develop software do it, and integrate our security testing and practices into the way these folks work today. The more frequently software is released and new features and new products are developed, the more security folks have got to keep pace with security testing that integrates well with agile development processes."
—Caroline Wong, chief security strategist, Cobalt.io
Mapping out software supply chain risks
A security product manager with technical chops developed as a former red-teamer and a longtime intelligence analyst and information warfare officer for the US National Security Agency and US Navy, Hillary Benson currently acts as director of product management for GitLab's security suite.
She said the industry has seen just the very beginning of high-impact software supply chain attacks, and she expects to see a variety of new vectors exploited in the next year. She warns security and business leaders to start tackling the problem not just by developing an SBOM, but by really mapping the entire software supply chain and trying to spot weaknesses across the board.
"Understand where and how you're exposed to supply chain risk and make a proactive plan to address it," she said. "Draw out your software supply chain and evaluate where it poses the greatest risks to your business."
"Many organizations often assume that open-source dependencies pose the greatest risk and are surprised by how many other higher-impact gaps they should really address first. Establish processes to close those gaps. Invest in tooling that enables those processes. Software supply chain security is built and broken in the glue between stages of the SDLC. Practically speaking, those stages are defined in the tools you use. It’s a losing battle to use tools that clash with the processes you need to establish."
—Hillary Benson, director of product management, GitLab
App sec spending will be driven by software engineering teams
A startup executive with experience in DevOps and agile development, Joni Klippert is CEO of StackHawk, a security startup that builds application and API security testing tools targeted to developers. Her prediction is that as security becomes more tightly bound to engineering teams and delegated to developers, app sec security purchases will increasingly be made by DevSecOps teams rather than the security organization.
"DevSecOps leads to an inherent change in buying and tooling decisions across development teams, with engineering teams playing a greater role in the purchase decision of security software. True DevSecOps requires tools that fit into the existing developer workflow and are friendly for all users. In 2023, expect to see budgets shifting into development organizations, with engineering organizations creating evaluation criteria, leading purchase decisions, and ultimately signing purchase orders."
—Joni Klippert, founder and CEO, StackHawk
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.