If you’re like me, you just survived the onslaught of “what we saw in 2017” lists, only to be inundated shortly thereafter by “what we will see in 2018” predictions in security. As a vendor in the application security space, we’re in the thick of things. We have our ears to the ground, attend security conferences throughout the year, and spend tons of time listening to the pain points of many different clients. Based on this exposure and what we’ve picked up in the field, I started to cobble together a list that I initially titled “what I’d love to see in 2018 for application security.” I quickly realized there were far more questions than answers. Below you will find a list of my top questions, consolidated for your review and comments.
How will AI affect our field?
No field is more in need of artificial intelligence and machine learning than application security. As application security experts know far too well, automated scanning technologies – static, dynamic, and interactive – are far from perfect. They still generate far too many false positives (static testing, in particular) and they remain nearly powerless to test for more complex authorization and business logic issues. In one client assessment project last year, the initial results from a leading static analysis tool generated 8,500 findings, which ultimately resolved to a couple of “high” vulnerabilities and a smattering of “medium” and “low” issues. Over those 8,500, we boiled over 1,000 instances of the same XSS flaw down to produce one actual vulnerability. Culling down these false positives and making sense of this data is tremendously costly in manpower. It seems like this is an area where we have a large body of data that could be used for training machine learning algorithms to help make better sense of the data coming from automated scanners. The work that IBM is doing applying Watson to lower false positives in its AppScan Source static analysis platform is intriguing.
The flip side of the problem is false negatives – or classes of vulnerabilities that scanners can’t seem to find, and unfortunately, these authorization and business logic flaws end up producing some of the scariest vulnerabilities. When scanning technologies can understand certain business rules implicitly and apply them to smarter scanning of business logic, we’ll see the true impact that AI can have on application security.
How Much Will DevOps Change Application Security this Year?
No topic has dominated the application security world in the recent past more than DevOps and its effect on the security of software. Although many IT leaders continue to admire what Netflix and Etsy have done, and many claim they want to emulate it, the implementation of DevOps is all over the adoption curve. “Moving security to the left” is nearly a cliché, but still most organizations have yet to adopt security testing in CI/CD pipelines.
Essentially, there are two questions involving DevOps and security that organizations are trying to answer in 2018:
- How widespread is adoption of DevOps across ALL software development teams? 25%? 50% 100%? Have organizations transitioned white board activities to production or is DevOps more talk than action? If so, what is the timeline for complete adoption?
- How successfully were organizations able to build security testing into their CI/CD pipelines? What tradeoffs were made to get testing during the finite window of opportunity during the build process? We have one client who was told by architects that he had just under three minutes to perform a security pipeline as part of the fully automated commit process. If you have 19 seconds, you sure as heck can’t perform a full-blown static analysis of the entire code base, so you’ll have to make serious tradeoffs and develop a process to perform deeper inspection of code in a separate out-of-band process.
Will Security Get Better Test Coverage on the New/Cool Languages?
Most application static vulnerability scanning technologies are best at finding vulnerabilities in web applications written in compiled languages like .NET and Java. Why is this the case? For nearly twenty years, these languages have been the preferred platform of choice for enterprise organizations writing line of business applications. Scanning technologies have been incrementally tuned to find more coding flaws in the apps they have scanned the most – namely apps built in .NET or Java. However, most of the cool kids in Silicon Valley startups or in the interactive component of established companies are adopting newer dynamic languages like Go or Python. Unfortunately, the static scanners tend to have far less coverage for these languages. How does this play out in the real world? We have one client that adopted a popular and static application vulnerability scanner to find vulnerabilities in their Python-based platform. They could not figure out why their Bug Bounty program was continually finding bugs in production when their scanning efforts nearly always gave them a clean bill of health. It was tough to explain to their non-development-smart security team that their existing scanning engine struggles to find many vulnerabilities in Python because of challenges statically scanning dynamic languages and the relative immaturity of their support versus “enterprise” languages like Java and .NET.
How will the Application Security Vendors Adapt to the Changing Landscape?
There has been a whirlwind of change in the application security vendor market in the last two years. CA’s acquisition of Veracode, Microfocus’s purchase of HP/Fortify, and the succession of acquisitions by Synopsys of Quotiom, Cigital, and Black Duck (who did I miss?) highlight a consolidation of the industry. Will CA let Veracode continue as a business unit or will they be tempted to more tightly integrate the Veracode platform into the larger CA suite, with all the subsequent positives and negatives of doing so? Will MicroFocus continue to improve Fortify or will it be tempted to optimize its existing software suite to maximize sales margin? Will the advisory culture of Cigital win over the product focus of the other technologies purchased by Synopsys? Will newer companies like Checkmarx and Signal Science capitalize on miscues of certain incumbent application security vendors this year? My suspicion is that 2018 will be another year of consolidation and be even more fun to watch. Luckily, I have a front seat J.
Picking my top questions for 2018 was not a straightforward task. The above list represents just the tip of the iceberg of many questions I’d like to see answered in the new year. No doubt there were good questions left out, and other application security experts will have other equally or more interesting questions. If you do, feel free to share those on social media and I’ll combine them in a subsequent blog post.
I plan to revisit this list at the same time in 2019 to see what, if anything, has changed or was answered. Happy New Year!