Application Security Trends for 2010

We recently released our guidance on the top application security trends for 2010:

1. Web mashup applications will result in new attack vectors

Web applications integrating data and functionality from multiple systems are becoming increasingly more common. Unfortunately, threat models for these “mashup” applications are rarely performed, and when they are, they are rarely understood. The accelerated pace of change for software security is moving much faster than the security practitioners’ ability to provide meaningful guidance to application development teams.

2. New data breaches will force organizations to focus on internal applications as well as external

Most organizations incorrectly assume they only need to worry about external security, but publicly-revealed data breaches of internal applications have shown that an internal network is no longer a safe haven. In 2009, known breaches caused by malicious insiders resulted in the compromise of over 1.5 million records according DataLossDB.org. What is not known is the extent of incidents that were concealed or went unreported.

3. Adoption of HTML 5 and other new technologies will cause developers to inadvertently build vulnerable applications

HTML 5 has a variety of new capabilities that can erode previously established security controls. While developers are building more ambitious applications using these new capabilities, many development teams will not consider the associated security risks of exposure of HTML-based 5 web applications until after their deployment.

4. Resurgence of risk management

Many organizations have postponed spending on software security during the recession at a potentially huge cost. As the economy improves, organizations will refocus on risk management rather than merely meeting compliance requirements.

5. Organizations will finally start asking, “How are we going to fix these vulnerabilities?”

Security teams will shift their focus from finding vulnerabilities to working with development teams and actually fixing them. Forward-thinking organizations will treat application vulnerabilities as software defects and will leverage existing software development and maintenance practices within the organization in order to resolve security vulnerabilities.

6. Security and development teams will have increasing interactions

Deeper discussions between security and application development teams will lead to improved decision-making and more streamlined cooperation.  These process improvements will begin to have a positive impact on the security of software developed by the enterprise.

7. Organizations will move beyond scan-only approaches to application security

Initial approaches to application security were often solely focused on automated scans of applications or code to identify technical vulnerabilities. However, targeted attackers are shifting their focus to business logic attacks on applications, and leading organizations will start to incorporate more manual testing and code reviews in order to respond to the these new realities.

8. The application security market will continue consolidating

Further consolidation of product vendors will provide product suites with a more comprehensive range of capabilities and consistent approach. Global system integrators will identify software security as a gap in their services and will try to solve the problem through acquisition.

9. Organizations deploying web application firewalls will increasingly use them for virtual patching

Virtual patching involves creating targeted rules for a web application firewall based on specific known vulnerabilities. Organizations will increase their use of this practice to provide interim protection while code-level fixes are implemented.

10. Application security metrics will provide a foundation for decision-making

As enterprises increase the sophistication of their application security programs, standard metrics will evolve for costs for finding and resolving vulnerabilities as well as timeframes required to fix vulnerabilities. Forward-looking firms in more mature industries will begin sharing anonymized data to support benchmarking efforts.

You can see additional coverage of this on Help Net Security. BusinessWire and Yahoo Finance.

Contact us to talk about what you need to do to guard against application security risks in 2010 and beyond.

–Dan

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *