New Year, New Risks: 3 Application Security Resolutions You Should Adopt in 2019

I’ve always looked forward to New Year’s. As a youngster, a big part of the fun was staying up late on New Year’s Eve and then watching college football with my dad the next day — from the Cotton Bowl to the Rose Bowl to the amazing halftime show of the Orange Bowl.

Now, as an adult, the holiday is about new hope, new opportunities, new challenges and new perspectives. With that in mind, here are three key application security resolutions you should stick to in 2019.

1. Focus More on the Front End

Have you noticed that so much of cybersecurity is focused on dealing with and understanding breaches? Of course, we need to be able to detect, quarantine and remediate security incidents as soon as possible once they are discovered. But isn’t it better to nip attacks in the bud?

Those of us who have kids know this principle intuitively. For instance, imagine your middle schooler comes home from school on a Friday and tells you he or she has a project due on Monday. As a parent, you might encourage your child to get started that afternoon, and you may even caution against procrastination. But what inevitably happens on Sunday night? You have a panicking, frenzied student trying to make up for lost time.

The same thing often happens in application security. Organizations have been slowly shifting left for some time now, and I believe 2019 will be the year that this approach finally goes mainstream.

As noted by Infosecurity Magazine, security professionals “should work with development teams to identify the earliest point that manual processes, such as manual testing and threat modeling, can be effectively implemented in order to avoid lengthy remediation just before the delivery deadline.” And according to DZone, the shift-left approach is enabling security teams to install security protocols earlier in the development process, resulting in more time for penetration testing and greater security awareness among developers.

I did a little research using Google Trends to get an idea of what people are looking for in this space, and I found some very interesting results. The image below shows a relative listing of different search terms and their popularity. Each uses a 100-point scale in which 100 represents peak search interest.

Application Security Search Terms (Google Trends)

Comparing the terms “application security,” “data security” and “scan code” shows a current spike in interest. This is likely due in part to the recent Marriott data breach, but even so, interest in these topics has generally been trending upward. I also added “RASP,” which stands for runtime application self-protection, because I’ve heard that term come up more frequently in recent conversations. As it happens, I found an uptick in interest there, too.

The point here is simple: Organizations today recognize the need to be more vigilant in discovering and remediating application vulnerabilities before threat actors have a chance to exploit them. Why? Because the more that can be done to minimize potential vulnerabilities before applications are in production, the better. Increases in the usage of internet of things (IoT) sensors, personal devices and cloud services will only exacerbate that need.

Security teams, which are already understaffed and overwhelmed, are sure to feel even more pressure to prevent breaches in 2019. Expect to see more initiatives to elegantly add security testing to software development pipelines and new best practices emerging in this space. Until now, the conversation has largely been about how to get software developers to participate more in security testing as part of their day-to-day work. I also expect to see more tooling that facilitates a better partnership between security professionals and development teams to expedite remediation efforts.

2. Build Consumer Trust as a Top Priority

It’s not news that making applications safer is good business, but in 2019 this notion will graduate from common sense to an absolute necessity for survival. A 2018 IBM study found that for nearly every major application type, consumers overwhelmingly ranked security as the top priority over both privacy and convenience. The only exception was social media, where convenience was the top priority by a very slim margin. I think it is safe to predict that in 2019, consumers will expect the applications they use to be trustworthy.

Over the past few years, I have heard conversations shift from risk avoidance to risk management and now to risk tolerance. Where we used to strive to eliminate risk entirely, today it seems that most organizations are willing to tolerate a certain level of risk, and they are walking a fine line. For instance, applications are often released with limited capabilities because vendors know they can be quickly updated as soon as a new capability is available. In many industries, the attitude has devolved from “best-of-breed” to “good enough is good enough.” Because of that, the challenge is no longer about eliminating risk — it’s about figuring out where that line is and staying below it.

In this new environment, strong application security helps breed trust and loyalty. However, application security often suffers from the same perception problem that plagues much of IT: It’s only noticed when it’s not there. Today, people expect things to just work, they expect them to be secure. In other words, security is a business imperative, so you should cultivate trust among your client base by building security into what you are delivering.

3. Talk More About False Negatives

We hear a lot about false positives in the application security world today, and with good reason. No one wants to waste time chasing down vulnerabilities and issues that aren’t real. However, given how many legacy systems are out there and the increasing sophistication of threat actors, the idea that many organizations have applications with ticking time bombs in them is unsettling.

Consider the Apache Struts vulnerability from March 2017. A 14-month investigation by the U.S. House of Representatives Committee on Oversight and Government Reform revealed that the vulnerability had led to a major attack that went undiscovered for more than two months due to expired security certificates and a failure to monitor network traffic. According to the committee’s December 2018 report, there were code vulnerabilities present for both SQL injection and insecure direct object reference (IDOR) attacks related to the Apache Struts problem.

In 2019, application security specialists should resolve to pay more attention to vulnerabilities that may fly under the radar in a scan or test. For instance, suppose you’re writing custom code that utilizes a new framework for your application. Will the security testing rules that you have in place today account for that new framework? If not, you have a security blind spot. Your tests will pass relative to that framework, but you won’t really know if it is secure. If it turns out to be vulnerable, then your tests are actually giving you a false negative and a potentially dangerous false sense of security. When you factor in the speed at which languages, frameworks and application programming interfaces (APIs) are changing today, the ability to uncover and deal with false negatives will become much more critical to successful application security.

Resolve to Prioritize Application Security in 2019

In 2019, cybersecurity will become even more of a mainstream topic as technology advances and consumer awareness grows. Security is at the heart of building trust and maintaining a standard of quality for the millions of applications used every day. To lead and succeed in this space in 2019, companies need to begin with security in mind at the front end, build trust in their user base and be vigilant in resolving potential issues before they get to production. If organizations around the world stick to their security resolutions in the new year, all will enjoy a safer application ecosystem in 2019.

To learn more about how to achieve risk-based application security management, download our free e-guide.

Rob Cuddy

Worldwide Application Security Evangelist

Rob has been with IBM for the past 12 years and is currently a Worldwide Application Security Evangelist. Prior to this...