As software becomes a key component of everyday life, from transportation to health, the need to take steps to secure it has become increasingly evident. Driven in part by the high-profile breaches we’ve seen over the past few years, the need for better application security has jumped to the forefront of the conversation throughout the software industry.
Now as we move into the new decade, the question is what will come next for application security? Which new technologies and practices are we likely to see emerge this year? How might regulation and market forces impact the way that we approach securing our products?
In hopes of gaining a wider view, we reached out to AppSec experts from across the industry to hear their predictions and perceptions for 2020. Here they are in their own words.
#1 “It’s our duty to help solidify the processes where software is developed”
“2020 ushers in a new decade where the awesome responsibility of application development takes center-stage through potentially life-altering software design and programming choices. Autonomous vehicles, medical devices, and physical security devices based on IoT technologies place human lives at the mercy of development teams charged with getting things right the first time and every time!
As security professionals working in this environment, it’s our duty to help solidify the processes where software is developed, the process for proper vetting and remediation of insecure or unsafe 3rd party and Open Source libraries, and the processes for effective testing to prove that software is not only secure, but safe and sound to use as well.”
Mark Merkow, CISSP, CISM, CSSLP Author of Secure, Resilient, and Agile Software Development
#2 Web Platform and Open Source ecosystem are empowering a whole new generation of developers
“With an ever growing number of systems, devices, and diverse supply chains to keep on top of, security attacks are evolving rapidly and faster than existing tooling can keep up.At the same time the Web Platform and Open Source ecosystem are empowering a whole new generation of developers into the industry, their out-of-the-box thinking will surface new and novel technology solutions to address the growing needs of enterprises in securing their software.”
Ahmad Nassri CTO, npm
#3 Threat Modeling will continue its move from an art to a discipline
“We’ll hear much more about AI and ML in security, for good and other reasons. Threat Modeling will continue its move from an art to a discipline. New breaches via old vectors will abound, and we will ask ourselves why they keep happening, and will not consider that perhaps we need to change the way we educate developers about secure development.”
Izar Tarandach Lead Security Architect, Autodesk
#4 Open source projects will use automatic dependency updates
“I really believe [that] in 2020 most popular open-source projects will use automatic dependency updates, fixing bugs and security holes in 3rd party dependencies even before they become known.”
Gleb Bahmutov VP of Engineering, Cypress.io
#5 It is finally possible to put a price tag on security investments
"AppSec will need to help move the various new privacy regulations from legal/compliance into development. This is a challenge and a chance at the same time. A challenge, as these regulations need to be translated into engineering practices requiring expertise in two distinctly different domains. A chance, as it is finally possible to put a price tag on security investments. Instead of threatening with script kiddies, it is possible to point at actual fines issued because of security debt, like weak authentication, missing 3rd party lib patching and the like."
#6 Mitigating AppSec risk through asset inventory and risk scoring
“We predict an increased trend towards mitigating application security risk through asset inventory and risk scoring to include the supply chain these assets are built on top of. The NPM security team is leading the way in providing a risk scoring API for their ecosystem and we expect other package management maintainers to follow suit.”
Ken Johnson Staff Application Security Engineer @ GitHub
Seth Law CEO, Redpoint Security
#7 DevSecOps and SecDevOps philosophies will be more important than ever
“There are still many big unknown vulnerabilities hiding in software and hardware. With the rise of machine learning, increasingly better insights into threats and data and the new era of quantum computing we will discover new and more interesting cases which are still hiding in the dark or even in plain sight for a very long time. Protecting (critical) data by applying methodologies of the DevSecOps and SecDevOps philosophies will be more important than ever and developers will have to expand their horizon to keep up with the upcoming challenges.”
Daniel Ruf Security Researcher
#8 AppSec should be tied to the identity of the user
“Encryption at the application layer blinds traditional security approaches such as firewalling and inspection. To build a true zero-trust secure network, application security should be tied to the identity of the user accessing the application and permission for the user to access the application should be controlled at the network layer.”
Prashant Kumar Co-founder, 128 Technology
#9 A dire need to embed a holistic app security program
"The continued rise of containerized environments, coupled with increasing need of new dev stacks, rapid development, and third-party components continue to pose new threats. There is a dire need to embed a holistic app security program with focus on detection by automation. This combined with core secure and privacy design principles elevates a secure-SDLC process."
Ralph Framke Security Architect at ICF Next
Our Thoughts for the Year Ahead
Having heard from these leaders in the field, we can identify a couple of important trends, challenges, and visions for the future.
Everyone recognizes that the sheer amount of code and assets that organizations need to secure is massive. The challenge is that this spike in scale coincides with important developments as software penetrates more industries, bringing with them significant costs to failure to secure.
So how is your organization preparing to be better secured in the coming year? Let us know and be sure to follow us and these AppSec professionals to stay on top of the latest trends impacting application development and security.