We recently released our guidance on the top application security trends for 2010:
1. Web mashup applications will result in new attack vectors
Web applications integrating data and functionality from multiple systems are becoming increasingly more common. Unfortunately, threat models for these “mashup” applications are rarely performed, and when they are, they are rarely understood. The accelerated pace of change for software security is moving much faster than the security practitioners’ ability to provide meaningful guidance to application development teams.
2. New data breaches will force organizations to focus on internal applications as well as external
Most organizations incorrectly assume they only need to worry about external security, but publicly-revealed data breaches of internal applications have shown that an internal network is no longer a safe haven. In 2009, known breaches caused by malicious insiders resulted in the compromise of over 1.5 million records according DataLossDB.org. What is not known is the extent of incidents that were concealed or went unreported.
3. Adoption of HTML 5 and other new technologies will cause developers to inadvertently build vulnerable applications
HTML 5 has a variety of new capabilities that can erode previously established security controls. While developers are building more ambitious applications using these new capabilities, many development teams will not consider the associated security risks of exposure of HTML-based 5 web applications until after their deployment.
4. Resurgence of risk management
Many organizations have postponed spending on software security during the recession at a potentially huge cost. As the economy improves, organizations will refocus on risk management rather than merely meeting compliance requirements.
5. Organizations will finally start asking, “How are we going to fix these vulnerabilities?”
Security teams will shift their focus from finding vulnerabilities to working with development teams and actually fixing them. Forward-thinking organizations will treat application vulnerabilities as software defects and will leverage existing software development and maintenance practices within the organization in order to resolve security vulnerabilities.
6. Security and development teams will have increasing interactions
Deeper discussions between security and application development teams will lead to improved decision-making and more streamlined cooperation. These process improvements will begin to have a positive impact on the security of software developed by the enterprise.
7. Organizations will move beyond scan-only approaches to application security
Initial approaches to application security were often solely focused on automated scans of applications or code to identify technical vulnerabilities. However, targeted attackers are shifting their focus to business logic attacks on applications, and leading organizations will start to incorporate more manual testing and code reviews in order to respond to the these new realities.
8. The application security market will continue consolidating
Further consolidation of product vendors will provide product suites with a more comprehensive range of capabilities and consistent approach. Global system integrators will identify software security as a gap in their services and will try to solve the problem through acquisition.
9. Organizations deploying web application firewalls will increasingly use them for virtual patching
Virtual patching involves creating targeted rules for a web application firewall based on specific known vulnerabilities. Organizations will increase their use of this practice to provide interim protection while code-level fixes are implemented.
10. Application security metrics will provide a foundation for decision-making
As enterprises increase the sophistication of their application security programs, standard metrics will evolve for costs for finding and resolving vulnerabilities as well as timeframes required to fix vulnerabilities. Forward-looking firms in more mature industries will begin sharing anonymized data to support benchmarking efforts.