The Importance of Securing Applications & Security in DevOps
Forrester’s Annual State of Application Security Report has become a touchstone for organizations on their web application security — aka AppSec — journey, and this year’s is no exception. The 2021 report explores how the growing prevalence of open source, APIs, and containers adds complexity to the security team. Let’s explore a few other key findings from this year’s report.
Applications are still a top attack vector
Although reliance on applications has grown steadily over the past few years, it surprises no one that the 2020 abrupt shift to remote work drove companies to rely on applications at a much steeper rate. Forrester predicts web applications will continue to be a main vector for external attacks for three main reasons:
The continuous growth in open source usage
A substantial increase in security research, resulting in a rise in the number of reported security issues, including a high number of API vulnerabilities
The growing popularity of containerized environments, which suffer from a high volume of code and configuration issues
With applications continuing to be such ripe targets, many organizations plan to prioritize improving their AppSec profile in the next year. While 28% of security decision-makers surveyed in Forrester’s report plan to improve their application security capabilities, 21% plan to take that even further and prioritize building security into development processes.
Where do you stand? Evaluate your AppSec profile in relation to your overall security posture and read on for guidance in selecting tools as well as ways to improve security earlier in the software development lifecycle.
AppSec tooling helps bridge the gap between security and developers
Attackers are developers: They build malware, look for infrastructure vulnerabilities to exploit, and constantly evolve their tactics. They adapt quickly, and organizations must learn to react with the same speed.
While automating application security testing early in development as part of the DevOps pipeline is important, this year’s report recommends finding ways to speed up remediation once security issues are detected in production as well. According to Forrester data, security professionals who continue to shift left, or implement testing and remediation earlier in the development process, experience quicker remediation times. For example, by combining both static and dynamic application testing results, organizations were able to remediate security flaws 24.5 days faster than the average.
Real-time attack prevention requires investing in a security solution that enables both speed of visibility and control. And that can’t be just for one location or deployment — software and people are deployed around the globe, and security must be consistent across locations. (For more on this topic, see how API-enabled security can empower rapid incident response in our on-demand webinar, "API-First Security for Real-Time Attack Response.")
Shift left continues, but adoption of new AppSec tools is inconsistent
Given the increase in API-driven security breaches, security teams are rushing to embrace API security. However, work remains as organizations must ensure their tooling can keep up with new application architectures.
One of the report’s top recommendations for updating and improving AppSec tools and processes is to shift left. Forrester found that more organizations, seeing the value of early remediation, are implementing application security testing in development instead of in the testing phase.
You know the value of prevention over remediation and are likely looking at how to shift ever more left in your software development. As tools become more easily integrated in the CI/CD toolchain, see where you can implement them earlier in the software development lifecycle. And don’t forget about container security, which lags behind in security testing at many organizations. Shifting left also means looking to where you can implement necessary container security protections in development vs. production.
AppSec strategies should keep up with agile development processes
As organizations increasingly rely on open-source and third-party components and open up more APIs externally, the Forrester report urges security professionals to nurture communication between security and development teams and to embrace automated security testing tools throughout development.
Forrester emphasizes the importance of using security tools that developers love. As modern AppSec tools are much more focused on developers, it’s easier for security professionals to collaborate with development teams to ensure security is woven into development workflows. Your application security tools should not stop at mere detection, but should also provide context and remediation guidance.
It’s up to you
As the software development ecosystem evolves, the report says “new development methodologies mean changes to the traditional security paradigms.” We’ve been hearing from customers — and saying ourselves — that this calls for looking ahead and investing in application security tools that can be easily integrated in future application development plans and architecture.
The idea of overhauling your stack for more agile, performant, and unified security solutions can be daunting, but the return on your investment is priceless.