Denim Group sees shifts in the application security landscape with new applications resulting in new attack vectors, security problems with HTML 5, shift to business logic attacks, and more
Denim Group, an IT consultancy and strong contributor to the larger application security community, announced today that it foresees shifts in the application security landscape this year. As a trusted advisor to many Fortune 500 and large public sector organizations, the firm has just announced its guidance on the top application security trends for 2010:
- Web “Mashup” Applications Will Result in New Attack Vectors: Web applications integrating data and functionality from multiple systems are becoming increasingly more common. Unfortunately, threat models for these “mashup” applications are rarely performed, and when they are, they are rarely understood. The accelerated pace of change for software security is moving much faster than the security practitioners’ ability to provide meaningful guidance to application development teams.
- New Data Breaches Will Force Organizations to Focus on Internal Applications as Well as External: Most organizations incorrectly assume they only need to worry about external security, but publicly-revealed data breaches of internal applications have shown that an internal network is no longer a safe haven. In 2009, known breaches caused by malicious insiders resulted in the compromise of over 1.5 million records according DataLossDB.org. What is not known is the extent of incidents that were concealed or went unreported.
- Adoption of HTML 5 and Other New Technologies Will Cause Developers to Inadvertently Build Vulnerable Applications: HTML 5 has a variety of new capabilities that can erode previously established security controls. While developers are building more ambitious applications using these new capabilities, many development teams will not consider the associated security risks of exposure of HTML-based 5 web applications until after their deployment.
- Resurgence of Risk Management: Many organizations have postponed spending on software security during the recession at a potentially huge cost. As the economy improves, organizations will refocus on risk management rather than merely meeting compliance requirements.
- Organizations Will Finally Start Asking, “How Are We Going to Fix These Vulnerabilities?” Security teams will shift their focus from finding vulnerabilities to working with development teams and actually fixing them. Forward-thinking organizations will treat application vulnerabilities as software defects and will leverage existing software development and maintenance practices within the organization in order to resolve security vulnerabilities.
- Security and Development Teams Will Have Increasing Interactions:Increasing dialogue between security and application development teams will lead to improved decision-making, which incorporates risk management and understanding of the overall value of the enterprise.
- Organizations Will Move Beyond Scan-Only Approaches to Application Security: Initial approaches to application security were often solely focused on automated scans of applications or code to identify technical vulnerabilities. However, targeted attackers are shifting their focus to business logic attacks on applications, and leading organizations will start to incorporate more manual testing and code reviews in order to respond to the these new realities.
- The Application Security Market Will Continue Consolidating: Further consolidation of product vendors will provide product suites with a more comprehensive range of capabilities and consistent approach. Global system integrators will identify software security as a gap in their services and will try to solve the problem through acquisition.
- Organizations Deploying Web Application Firewalls Will Increasingly Use Them for Virtual Patching: Virtual patching involves creating targeted rules for a web application firewall based on specific known vulnerabilities. Organizations will increase their use of this practice to provide interim protection while code-level fixes are implemented.
- Application Security Metrics Will Provide a Foundation for Decision-Making: As enterprises increase the sophistication of their application security programs, standard metrics will evolve for costs for finding and resolving vulnerabilities as well as timeframes required to fix vulnerabilities. Forward-looking firms in more mature industries will begin sharing anonymized data to support benchmarking efforts.
“In the past, organizations have been doing what’s easy as opposed to what’s important, and that’s going to cost them in the long run,” said John Dickson, Principal of Denim Group. “For example, studies have shown that 1-3% of employees in an organization are bad apples that are prone to steal internal data, and it’s naïve to think that isn’t the case with your enterprise. As more security breaches happen – both internally and externally – organizations will realize that point solutions are not going to provide the increased application security they require, and to successfully confront the issue they will have to address it throughout the software development lifecycle.”
About Denim Group
Denim Group, an IT consultancy specializing in custom software development, systems integration, and application security, serves a national and international client base of Fortune 500, commercial and public sector organizations in industries including financial services, banking, insurance, healthcare and defense. With over 40 years experience in large-scale software development projects and information security, the principals are recognized experts in their fields and founded the San Antonio chapter of the Open Web Application Security Project (OWASP). Denim Group has been included in the 2008 Inc. 5000 list of the fastest-growing private companies in America, ranked 1101. The San Antonio Business Journal recognized Denim Group as the Fastest Growing Company in San Antonio in 2006 and as one of the Best Places to Work in 2007. For more information about Denim Group, visit www.denimgroup.com.