We recently provided some guidane on what we believe will be important trends in application security in 2011. 2010 was a transformative year for the application security market and for the practice of application security in general and we think 2011 is going to keep building momentum. The press release is available online here.
dan _at_ denimgroup.com
Agency Contact: Denim Group Contact:
Alan Weinkrantz John Dickson
Denim Group Provides Guidance on
Application Security Trends for 2011
Mobile Applications, Shifting to The Cloud, Malware on the iTunes / Droid Stores, The Smart Grid and More, Give Rise to New Forms of Application Security Threats in the New Year to Come
San Antonio, TX – January 4, 2011 –Denim Group, an IT consultancy that develops secure software and helps organizations assess and mitigate risk with their existing software, announced today that they foresee shifts in the application security landscape in the coming year. As a trusted advisor to many Fortune 500 and large public sector organizations, the firm has just announced its guidance on the top application security trends for 2011:
- Mobile application security concerns will dominate headlines.
Enterprise organizations will face greater challenges deploying mobile applications, as they realize most mobile development is not up the rigorous standards of enterprise software security and industry compliance . As such, more headlines will dominate that catalog loss of customer data involving smartphone and tablet devices that are connected to the Internet.
- Moving to the Cloud places enterprises at the mercy of corporate terms of service rather than the Constitution and Bill of Rights.
As illustrated by the problems WikiLeaks had when Amazon.com evicted them after public pressure, organizations that rely on the cloud are at the mercy of their hosts’ terms of service and do not have the same protections that can be expected from the government if they were to run their own infrastructure.
Relying on vendors’ contracts of compliance and possible government regulation is far riskier than relying on 4th Amendment and other protections of due process. This places enterprises at greater risk from malicious overtures from corporate and government antagonists.
- Developing applications for the Cloud will present new security threats previously not considered.
Enterprise software development will start to shift to extending and customizing SaaS applications rather than writing custom software from the ground up. Force.com and other B2B providers will lead the way, but extensions to consumer-oriented applications such as Facebook will increase as well. As with all new programming models, software developed as extensions to SaaS, will have new types of vulnerabilities dealing with trust and dataflow as well as new instances of well-known vulnerabilities like cross-site scripting (XSS) and SQL injection.
- The Payment Card Industry will continue to drive application security investment.
This will drive more software security initiatives, as the Payment Card Industry’s Data Security Standard (PCI-DSS), despite criticism, is ultimately regarded as one of the few compliance frameworks with technical “teeth.”
- Introduction of malware into iTunes Droid Apps stores.
Applications submitted to the Apple iTunes AppStore and the Google Android store do not undergo rigorous security testing as traditional enterprise applications.
Both application stores do not do “white listing,” per se. As a result, users that download and use applications from either source are implicitly trusting that malicious application developers are not loading software that can do steal information from their handheld / smartphone device. Look for a serious instance of malware being uploaded and propagated in 2011.
- Demand for application security talent will jump dramatically; the supply for said talent will grow at a slower rate.
More organizations will start application security initiatives, and existing programs will become more organized and expand in size.
This will create a strong demand for experienced professionals but the supply will not grow at the desired rate. The overall average experience level of industry practitioners will decrease. Look for colleges and universities to being partnering with private industry to create programming and professional accreditation in this emerging field.
- Utility systems will accelerate Smart Grid adoption with little or no attention paid to security.
Federal funding and clean energy initiatives will continue to move utility providers toward upgrading its production, distribution, and corporate networks to include “smart grid” technologies.
Most of these upgrades will be done with little, or no attention paid to security. At particular risk are those providers relying on wireless technologies for their underlying infrastructure because this puts the confidentiality and integrity of data transmissions – in both directions – at risk.
- Candidates for the next big application breach? The mid-size enterprise.
Mid-size enterprise organizations will be at particular risk. These will be organizations large enough to have custom software deployed, but not large enough to have a mature application security initiatives in place.
In 2010, attackers used the Zeus botnet to target mid-sized organizations for quick “hit and run” thefts. Even before that, phishers targeted the regional and mid-sized banks as the larger financials learned to detect and respond to their attacks. Most of these mid-size organizations lack mature security practices across the board and have virtually non-existent IDS/IPS and incident response capabilities. Those with custom applications deployed in 2011 will be particularly at risk.
Application architectures are getting increasingly complex as they integrate web applications, web services, mobile applications and “the cloud” (whatever that means). This makes automated tools even less of a solution that before for “automatically” finding vulnerabilities. An advantage of this is that it will be harder for attackers to automatically find exploitable vulnerabilities (as it was with untargeted SQL injecting attacks sending stored XSS payloads). A disadvantage of this is that successful attacks will likely be very targeted, deadly and will impact on a “cloud” scale.
About Denim Group
Denim Group develops secure software, helps organizations assess and mitigate risk with existing software, and provides training on best practices in software security. Denim Group has worked with a range of Fortune 500 companies and public sector organizations, bringing a focused software development approach to the world of software security. Denim Group is a strong contributor to the larger application security community, and has been involved with the Open Web Application Security Project (OWASP) since shortly after its inception. Additionally, Denim Group was ranked 1,751 in Inc. Magazine’s 5000 Fastest-Growing Private Companies in America in 2009. For more information about Denim Group, visit www.denimgroup.com.