In a word, very. You simply cannot secure your application layer without being one step ahead of application security threats and solutions. The problem is that it’s almost impossible to keep up in the face of the current security skills shortage. In a report titled, “Hackers Wanted: An Examination of the Cybersecurity Labor Market,” the RAND Corporation states that: “It’s even harder to find senior resources who have the combination of security and business skills to drive a successful application security program: the estimated demand is 10 to 30 times larger than the available supply for security program managers.” Keeping pace will mean supplementing your team with outside help, but not just any outside help. You need an AppSec partner with a laser focus on this segment and its future, and an ability to both pivot and innovate as quickly as the ways applications are developed, used, regulated and threatened change.
AppSec regulations changing rapidly
As breaches proliferate and fill the headlines, the threat to the app layer is trickling down to the regulators, and we predict you will see more and more AppSec regulations taking shape in the next few years. For example, in an unprecedented move for a state government, the NY State Department of Financial Services has proposed cybersecurity regulations (slated to go into effect March 2017) for financial services companies licensed by or operating in New York State. This is just the beginning of a shift toward more specific and prescriptive cybersecurity regulations. For instance, the proposed regulation includes a comprehensive list of requirements including:
- Implement a cybersecurity program with written policies and an audit trail
- Employ a Chief Information Security Officer (CISO) and dedicated cybersecurity personnel
- Identify cyber risks and conduct penetration testing at least annually and vulnerability assessment at least quarterly
- Secure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications
- Assess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
Application threat landscape changing rapidly
Your application landscape is growing and changing – very quickly. In turn, so are the threats. Take, for example, open source components. As the importance of applications grew in recent years, so did the pace of development. With that shift, building every app from scratch became unfeasible, and most developers today rely heavily on the ability to plug open source code components into their code. But security has not kept pace with the rapid influx of open source code. Our recent research found that approximately 97 percent of Java applications contained at least one component with a known vulnerability. And cyberattackers are increasingly using these widespread components to get the most bang for their buck – compromise one component, and you breach thousands. The scramble to find and secure components affected by Heartbleed is an example of the chaos that can and will ensue.
Technology moves fast, and so do cyberattackers. You need application security that moves just as fast.
Developer processes changing rapidly
In the not-so-distant past, development processes didn’t really affect application security all that much. Developers did their thing, then passed the code to security to do theirs. As the demand for software increases, development processes have had to adapt and pivot. You want secure software? It’s not going to happen without educating developers about secure coding, and then making it easy and seamless for them to practice it. If your AppSec solution isn’t keeping up with development processes and integrating into those processes, you’re going to fall behind.
AppSec technologies changing rapidly
As new development methodologies like DevOps increase the complexity of securing software, the application security market must adapt. The nature of software development demands that software security is fast-moving. As development methods change and apps proliferate, new technologies will emerge to fill gaps and solve problems. Those new technologies today are solutions like software composition analysis, runtime application self-protection and developer sandboxes, but tomorrow, they will be something else.
Application security will not be served by maintaining the status quo. Veracode is committed to keeping up with this fast-moving space; find out more about our solution.