The Info Security Products Guide recently asked a number of industry leaders to offer their thoughts and predictions on the direction of cyber security in 2018. Our CEO Dr. Anita D’Amico was included in this esteemed group. Her article, below, predicts greater adoption of AppSec processes in 2018 and beyond and can be found in the Info Security Products Guide Industry feed.
Upsurge in software security as CISOs mandate application security testing
Vulnerabilities in an organization’s software applications are among the primary vectors used by attackers to breach a system. The Equifax breach was just one of many attacks traced back to the exploitation of a software vulnerability. During just the third quarter of 2017, there were more than 230 million web application attacks on U.S. websites. Mobile and Internet of Things (IoT) apps also present easy targets. Approximately 30% of mobile apps and 38% of IoT apps contain significant vulnerabilities that can be exploited by attackers.
After decades of investing resources in network security, attention is now shifting to application security (AppSec). CISOs, Boards of Directors, and the U.S. government realize that any sound security program must include AppSec, which extends to security testing of all their enterprise, web, mobile and IoT apps, as well as the third-party software components they use. Insecure software represents a liability that they are now addressing by maturing their own organization’s AppSec programs, and demanding that their suppliers do the same.
In 2018, we will see increased adoption of application security processes, well beyond the post-release penetration testing used by many to date. There will be an upsurge in static security testing used during software development, automated penetration testing, assessment of the vulnerabilities in third-party libraries, as well as AppSec training of developers and security analysts.
Anita D’Amico, PhD is the CEO of Code Dx, Inc. which provides solutions to analyze and manage vulnerabilities in software. She started her career as an experimental psychologist, and for the past twenty years has applied that background to enhancing the performance of cybersecurity analysts. For the past seven years she has focused primarily on methods for increasing the adoption of security practices during the software development process.
- Increasing the speed, ease and automation of application security, so that security testing and remediation can keep pace with the rapid release cycles of web and mobile applications.
- Raising awareness within the software development community of the need to build security into every stage of the Software Development Lifecycle.
- How to combine network and application security in a way that each adds value to the other.
Direction for CSOs and Decision Makers:
- Invest resources in building security into your software from the start, to avoid more costly post-release patches and breaches.
- Do not rely on any single technique or tool for testing the security of the software you offer or use. Few work well alone, but used together they offer good vulnerability coverage.
- DevSecOps: Build security into your DevOps pipeline.