Oxeye on Tuesday predicted that as more applications are built with a cloud-native approach, application and cloud security will converge in 2023.
In posting a blog of 5 AppSec predictions for 2023, the Oxeye researchers, found that application security has become affected by the underlying cloud infrastructure, while cloud security now has to take the application layer into account for attack path analysis.
Security teams also need to take into consideration that the “shift left” movement will turn into a “shift everywhere” scenario. The Oxeye researchers say intelligent analysis that combines signals that the development team derives from static analysis with signals that it gets from runtime analysis (shifting a bit to the right) will deliver greater truth about the vulnerabilities in applications, and a true understanding of how they contribute to overall risk.
Another important trend: Oxeye said C-suite leaders will want to know more about how they can lower their overall risk exposure and then allocate resources appropriately. This will force AppSec teams to find tools that deliver detailed, high-fidelity risk profiles for each application within their care that includes the risk score of their applications, the type of data that these applications collect, transfer and store, and the number of records that are collected.
The C-suite demanding greater visibility into the risk contributions of applications is an interesting prediction, but possibly too narrow in scope, said Piyush Pandey, chief executive officer of Pathlock. Pandey said application security means a lot more than it did even just a few years ago.
“What was before limited to identifying vulnerabilities in code and configurations of those apps, now must include the risks within the applications — the access and entitlements that could allow for misuse of data and misdirection of funds,” said Pandey. “This is commonly referred to as the controls within, and across, applications. Combining the context of software vulnerabilities with controls effectiveness not only provides a truer picture of risk, but also brings IT and the business together to work to solve the problem.”
Ted Miracco, chief executive officer of Approov, added that the C-suite has every right to demand greater visibility on security risks, and security teams should not consider this an unreasonable ask. Miracco said there are plenty of software forensic tools that can easily identify broad categories of risks, for example exposed API keys in mobile applications.
“We use these tools every day to find vulnerabilities and to deliver solutions to make the applications extremely secure,” Miracco said. “The rush to bring mobile applications to market created a lot of vulnerabilities, and it’s now time to review what’s out there and to start remediating all the flawed applications and to get all the exposed API keys secured using existing technologies.”