Businesses are clamoring for more structure, processes and tools to secure their software development as they increasingly move to host applications in the cloud and utilize application programming interfaces to speed up development.
In a new survey of 200 application infrastructure and data security professionals around the world conducted by Radware and Osterman Research, pluralities or majorities expressed concern over a number of challenges associated with app security. Less than half say they have successfully integrated security into their continuous interation/continuous delivery pipeline, while similar numbers expressed “strong” agreement that security work should not interrupt an application’s release cycle.
The results largely conform with the reality that most businesses continue to view information security less as an end goal unto itself, and more through the prism of direct impact on larger business goals.
In December, Sandy Carielli, principal analyst at Forrester Research noted that for most development teams, “their goal…is to get product in their customers’ hands” quickly, and security is secondary to those needs.
“From the standpoint of the development team, they want to the tools and processes that will help accelerate that and that means they want more open source, they want more automation and they want faster release cycles,” said Carielli while speaking at a Dec. 15, 2020 web event on application security. “At the same time software and applications are a critical part of getting product to market, they are also a way in for attackers.”
Businesses will have to reassess what it means to secure their applications and code: 70% of production apps are now hosted in private or public clouds. However, the reverse is true for software in development: nearly 70% are built in on-premise data centers or a private cloud controlled by the organization.
This shift brings with it the return of a familiar, seemingly eternal debate around trust and security in the cloud. Just over one-in-four respondents said they completely trust their cloud providers to secure their applications and data, while many organizations reported that their understanding of how to apply security principles to a public cloud actually got worse the more they migrated their systems and assets.
According to the survey, at least 10 percent indicated confusion about which entity was responsible for what security failures resulted in the breach, while others said that same confusion has made them uncertain about whether they’ve suffered a breach or not.
John Kinsella, chief architect at cloud cyber firm Accurics, told SC Media in an email that “while developers are growing more accustomed to developing for the cloud, changing one’s development habits takes a higher level of comfort.”
“Anytime that development happens in a different context than production it creates an opportunity for confusion,” said Kinsella. “Developers need to understand the context within which the application will run, and security needs to ensure that testing is performed in the appropriate context. With cloud services and APIs changing frequently as new products are released and updated, staying up to date with these services can be a lot of work.”
Organizations will also need to grapple with the impact of leaning more heavily on APIs during the software development cycle. While these APIs are “easy to use and easy to consume” and allow for faster communication between systems during development, many also expose those same apps to threats to a range of internet-based threats.
It’s clearly on the mind of security teams, as nearly 60% of respondents said API security is an area they plan to invest in heavily during 2021. Gaining visibility into security events, combatting API abuse and better cross-platform policy coherence were all listed as desired capabilities. One out of every seven respondents said they had “no control over which third-party services are processing their sensitive data” and similar numbers said they had no visibility into which apps were even doing so.
Kinsella said APIs are one of the top attack vectors during the software development cycle both because they are “ubiquitous” in cloud-native applications and because they represent “low hanging fruit” for attackers.
"This means there will need to be a strong partnership between development and security in order to ensure that there is a complete and up-to-date inventory of all the APIs in use across different applications in the organization,” he said. “API security solutions are still coming into maturity, so organizations should be looking for vendors or open source tools that can offer API discovery capabilities in addition to automated API scanning.”
Among other findings in the Radware survey is that technologies adopted to improve their application security, automated provisioning and testing, containerization and tools like security orchestration and automated response (SOAR) were the most popular. Automated testing and containerization in particular were viewed as important by security and non-security IT personnel, while tools like SOAR are increasingly viewed as a way for overwhelmed security teams to get a handle on the avalanche of new security events and alerts they deal with on a daily basis. That said, many organizations continue to face maturity issues in their own security environment that make wider adoption difficult or impractical.