As we look into the new year, we see three trends emerging for application security.
DevOps/DevSecOps drive fuzzing mainstream. The 2020 Standard C++ Foundation annual survey showed that 37% of developers are now using fuzzing in concert with continuous deployment. We expect fuzzing to continue to grow and become standard in DevOps/DevSecOps pipelines. The main driving factor is speed of delivery, where traditional appsec tools like SAST require a manual review of results due to false positives. This manual review either slows down the overall pipeline, or developers simply don’t look at the results and deploy anyway.
Fuzzing builds on the ethos of actionable results so that pipelines are not stalled with manual review. Fuzzers have zero or very low false positives because they couple every bug report with a witness input that triggers the bug. We are also seeing organizations who adopt fuzzing move more quickly to autonomous and continuous testing. A basic continuous testing environment executes a static set of developer-created tests on each release. The problem is growing your test suite to cover code as it is developed. A modern fuzzer can take a small test suite with lower coverage and autonomously grow it to a test suite with higher coverage. That autonomously increased coverage means more confidence in your deployments.
Mayhem Uncovers Defects at Machine Speed, Scale, and Accuracy.
Find out how ForAllSecure brings advanced fuzz testing into development pipelines.
Rise of product security as a discipline. We expect more and more businesses to create and grow product security as a discipline. Product security unites the authority and budget traditionally owned by cybersecurity with the responsibility and implementation owned by engineering, operations, and response.
- A legacy organization may have appsec tools under the CISO budget, and then throw the tool over the fence to engineering for actual day-to-day use. A modern product security team will take an end-to-end approach, from tool selection, purchase, to ultimately being integrated day-to-day into the pipeline.
- A legacy organization may have cybersecurity reacting to a new incident, wondering where the instrumentation is in the product to help. A modern product security team will be involved in the design and architecture to ensure that incident response capabilities are baked in.
- A legacy organization may leave things like secrets management and user data privacy to the ops team. A product security team will help engineer the product to account for best practices from day 1.
Organizations that embrace product security find they are better at building in security earlier, which study after study shows is ultimately cheaper.
Security and reliability become one. You can’t have a secure product if an attacker can make it unreliable. While security has always included the CIA triangle -- confidentiality, integrity, and availability -- security teams have focused most of their effort on the first two. We expect this to change in 2021, with analysts predicting the API testing market to grow to $5.1 billion by 2023.
Reliability -- especially for APIs -- is growing because our reliance on APIs is growing, while at the same time how we develop software has changed. Modern software stacks are written as a collection of microservices, with each service written in a type-safe language that better guards against low-hanging vulnerabilities. However, it also makes reasoning about how all the services may interact harder and harder. We expect appsec teams to increasingly orient around checking availability, especially on how malicious requests between APIs and microservices may bring down the overall application and business.