2022 Robservations on Application Security

It’s no secret that cybersecurity was a major topic in 2021, and not just in the information security sector.  At the beginning of the year, it was a surprise near attack at a small water treatment plant around the time of the Super Bowl that caught a lot of attention.  As the year went on we saw tons of ransomware and supply chain incidents.  There was so much activity that a Presidential Executive Order made news in May And of course, over the last few weeks, we have all heard about Log4j vulnerabilities.  All these things drove cybersecurity front and center. 

And thinking back to the start of 2021, my Robservations then were: 

1. QA Joins the Security Party (Thank You IAST) 

1. Developer Friendly Threat Modeling 

1. Emerging Best Practices – Particularly for Open Source 

1. Real Entry Levels and Defined Career Paths 

For the most part, we saw each of these advances throughout the year.  We saw increases in the number of quality assurance teams that were being asked to participate in security activities and IAST provided a great way to do that.  We saw a new threat modeling manifesto introduced in late 2020 gain more traction and discussion in 2021.  We saw great increases in talks, recommendations, and practices for Software Composition Analysis and the idea of a strong Software Bill of Materials, and we expect these discussions to continue.  And lastly, we saw great strides being made in the way those job descriptions were defined and an influx of new talent into cybersecurity roles.  Some great examples of this are the new Cybergatebreakers organization founded by VCISO Naomi Buckwalter and this new Cybersecurity Careers book by BISO  Alyssa Miller.  Also, make sure to watch Alyssa’s great talk entitled “From Barista to Cyber Security Pro” on YouTube. 

 So As 2021 passes and 2022 begins, what are some of the things that I’m thinking about and expecting?  Glad you asked.  Without further ado, here are the Robservations for 2022. 

Application Security becomes a full reality for all product releases 

Of course, application security has always been important, but historically, it has been something more “bolted on” somewhere during a process.  Today, it is clear that we can no longer rely only on late-cycle testing (including pen-testing) to reduce risk.  Security has to be “baked in” from the outset.  In 2022, I expect the threat modeling discussion that was a big part of 2021 to expand into a full design discussion.  I expect security to be much more of an active part of the planning efforts for organizations.  Especially as good security is paramount to customer trust and confidence.   

And why does this matter so much?  We are all familiar with the incredible growth in the number and kind of devices that are connected to the internet.  In particular, there have been major innovations in healthcare for everything from fitness wearables, pacemakers and even work now being done on ingestible pills with sensors to monitor and transmit data to doctors.   Imagine the chaos that can ensue if these sensors are compromised?  Imagine if someone decided to change diagnostic data and a completely wrong treatment gets prescribed? How willing are YOU to swallow something like that right now?  I don’t know about you, but I would want a lot more assurance about the security in place first. 

This is one place where application security can make a big difference.  While certainly something that is part of IoT today (as evidenced by the OWASP Top 10 for IoT vulnerabilities), there is plenty of room to improve.  Today, much of the security conversation concerns device management items such as strong passwords and default settings.  As IoT and application use in general expands, securing code that will reside and operate on devices becomes paramount.  Expect to see a greater focus on verifying that data captured, processed, and stored on devices are properly secured at all times.  Expect to see more emphasis on more robust interfaces that connect to these devices as well.  And expect better tools and methods to test for vulnerabilities in this space, especially for APIs, and in other industries like Manufacturing, Retail, and Banking. 

Data privacy laws continue to drive application security changes  

 What do the US states of Colorado, Virginia, and California have in common with China and Brazil?  All approved or enacted new data privacy laws in 2021.  No doubt data privacy is a major concern of citizens and consumers.  And where do people interact with data the most?  Applications.  Data privacy regulations are now including stronger language around applications and application security.  Good examples include the NY State Department of Financial Services (NYDFS) NYDFS 23 CRR-NY 500  that included language for “robust” security and the NY State SHIELD Act that went into effect in 2020 and added a comprehensive notion of “reasonable security requirement” in section 5575–B.  And, as this great site from Spirion shows,  many other states are requiring organizations to report even unauthorized access and not just data loss. Expect there to be more pressure on companies to be able to prove that they are properly handling sensitive data. And expect to see more stringent changes in the reporting of details surrounding data incidents. 

API security moves center stage 

This is related to the first Robservation on the reality of application security, but API testing specifically has been growing in importance.  In 2019 the OWASP API Top 10 was released to provide direct guidance and advice for APIs.  And since then, there has been a lot of discussion and improvement in API security testing.  Organizations that specialize in API testing have emerged as well and conducted webinar series on the need for it.   

Because APIs provide so much potential to expose data to misuse and loss, special attention needs to be paid to them and in particular to the assumptions that they often operate under.  For instance, assumptions about authorization (most do not ask for login information and instead rely on tokens) or resource usage (many do not restrict request amounts), if not tested and validated, can lead to unintended consequences quickly.  In fact, there is a specific set of Native API techniques that are called out for Enterprises in the Mitre att&ck database. Expect to see more specific tooling and testing tactics for APIs emerging in 2022, and we may even see API validation specifically being called out in vendor checklists and in places like the NIST Cybersecurity Framework.   

Correlation of data to better define, demystify and diminish the risk 

The final big trend that I believe we will see more of in 2022 is the correlation of security testing and using that data in a more holistic fashion to mitigate application risk.  What do I mean by correlation?  Well, today, there is Static Testing (SAST), Dynamic Testing (DAST), Interactive Testing (IAST), Runtime Protection (RASP), Pen-Testing and each generates their own set of results and provide one view of the state of an application’s risk.  But as security continues to shift left and become ingrained in the development pipeline and value streams, the need to prioritize real issues and target remediation efforts that have the most impact becomes paramount.  No one wants to waste time chasing false positives or fixing things that are non-exploitable.  I expect to see more concerted efforts to effectively identify and verify vulnerabilities in context and then provide targeted remediation advice that can be applied through a single click (vs copy-and-paste).  

So there you have the 2022 Application Security Robervations.  I hope that you have enjoyed this quick look back at the past year and look ahead to the next.  Join us throughout the year for more conversations in this space, and on the Application Paranoia podcast.