tldr; Application Security Trend Report

  • According to the Application Security Trend Report, 81% of surveyed use java as their programming language to add value to their customers.
  • 87% of surveyed respondents develop web applications, while 60% develop enterprise business application
  • 38% of the surveyed respondents are developers or engineers, 22% work as developer team lead, and 22% are architects

Security and Developers

Developers are in the first line of defense when it comes to securing their valuable asset: code. This is called the shift-left movement. In essence, developers need to think more about security before pushing their work to the next stage in the pipeline.

Writing secure code is key. Secure as in not being penetrable from external or internal actors. Another key factor about being secure is that the software works as intended. There are six techniques that developers definitely need to consider when sitting down and planning out the testing phase of this work:

  1. Validating Inputs
  2. Architecting and Designing for Security Policy
  3. Making Permissions Explicit and Denial Default
  4. Using a Secure Coding Standard
  5. Executing All Processes with the Least Set Privileges
  6. Sanitizing Data Before Sending it to Other Systems

One major vulnerability that all software has is the potential to be a candidate for a buffer overflow attack.

“A buffer overflow condition exists when a program when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block memory can corrupt data, crash the program, or cause execution of malicious code”

The most popular ways to mitigate this type of attack are code auditing, bounds checking, use of compiler tools, and only coding in strongly-typed in languages with no direct memory access, including libraries.

I found it fascinating that more companies are doing source code analysis. However, it does sadden me to see that fewer companies are relying on penetration testing as a security defense. I am a big advocate for static and dynamic code analysis. This will help out developers to think about security at the left-side of the pipeline.

Security and Enterprises

I can not stress enough the importance of having a well-defined application development lifecycle. Also, knowing when in the lifecycle to implement security protocols can seriously affect the efficacy. I want this shift-left movement to start spreading into company culture everywhere.

I am not surprised that 29% of survey companies spend most of the time on application security during the design phase. However, I am shocked that 26% of survey companies spend most of the time on application security during the implementation phase. Are companies thinking about security at all?

Luckily, only 12% of respondents reported that 1/5 of deployments contain known security vulnerabilities. But, we should be at a point where deployments do not have any known vulnerabilities. The fact that these vulnerabilities are known to the public is disheartening. I thought we were at a point where deployments would be clean of at least known ones.

The threats that organizations plan on allocating most of their resources for are phishing attacks, distributed denial of service, ransomware, and SQL injection.

Building Security into Application Architecture for Continuous DevOps Protection

  1. Implement a single security solution that reduces dependencies and integrates without DevOps tools, pipeline, and hybrid cloud environments
  2. Reduce disruption of development schedules and workflows, with automated protection for images, containers, and your host
  3.  Implement early detection best practices via application programming interfaces by scanning images at build time and repeatedly for the duration of life in the registry
  4. Maximize threat detection, at both the software build pipeline and runtime, with industry pro and focused threat intelligence feeds
  5. Help meet risk and compliance requirements by implementing comprehensive threat and risk detection that covers malware vulnerabilities, secrets, and policy violation early in the CI/CD pipeline

Automated Full Life Cycle, Full Stack Container & Workload Security

We’re able to protect a container pre-runtime by understanding what’s going on in the environment from a security perspective before it even hits production”

  1. Prevent exploits within the build pipeline
  2. Provide continuous security for unknown security
  3. Expedite deployments with image assertion
  4. Secure workloads and container platforms at runtime
  5. Meet compliance needs with trusted security