Application Security trends

Application Gateway

0-2 years

Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Application gateways can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. Application gateways operate at application layer (layer 7 of OSI Model) and hence are also called application layer load balancing.

Use cases

Application gateways are typically used for a combination of the following use cases

  • SSL/TLS termination including E2E encryption Autoscaling
  • Session Affinity
  • Web Application Firewall
  • Multi-Site hosting
  • HTTPS upgrade
  • URL based routing

Benefits

Application Gateways are simply reverse proxy which protects the identity of the servers providing the web application. It is a holistic security product that addresses specific customers needs eliminating the need for individual products & services in its place.

Verticals

All verticals

Challenges

With more organizations adopting cloud as part of their digital transformation, we expect an increased deployment of cloud-based combined AG/WAF/DDOS protection as a service to protect both on-premise and cloud hosted applications in 0 to 2 years’ time.

Application Security Testing

0-2 years

Application security testing refers to the process of scanning and tracking vulnerabilities in software applications. It is based on three main pillars : static analysis (source code analysis performed to identify problems in softwares), dynamic analysis (scanning process of an already packed application (i.e., an executable)) and real-time protection (scanning process in a real-time fashion).

Use cases

  • Reducing occurrence of false positives
  • Meet compliance standards with pre-configured policies
  • Offline vulnerability assessment
  • Suggestions on the test to be run in case of code changes
  • Identifying failures upfront
  • Threat identification with enforced threat screening

Benefits

Application security platform automates testing throughout the CI/CD pipeline so developers can quickly resolve issues in the development stages. This essentially allows an organization to save costs and make the process faster, while at the same time, maintaining a secure application.

Verticals

All verticals

Challenges

Siloed SAST, DAST & SCA do not work, but putting them in parallel pipelines showed better results (SAST+SCA work better together – scans are done once and developers can see SAST and SCA results in a single view.) The tool must have a centralized dashboard so that the teams can collaborate seamlessly in the security testing process. Every security testing tool has different strengths, and no tool catches everything. If budget and resource limits restrict you to using only one or two security testing tools, you might miss critical vulnerabilities. In addition, without the capacity to replicate and confirm findings, you might spend countless hours chasing false positives.

Protected Browser

0-2 years

Browsers are the first point of access for a user to the public virtual world. While most of the websites provide some level of protecting the user from unwanted threats, a browser should be able to protect user’s data and provide a safe way for navigating the public domains.

Use cases

  • Protect from identity theft
  • Safe browsing: by ensuring detection and prevention of Cross site scripting or other compromised web pages or resources, a browser can deflect an attack even before it starts;
  • Secure connections: A browser can check if a connection to a web page is encrypted, if the domain is a trusted one as well as providing additional security for connectivity by using the latest communication/encryption algorithms.

Benefits

Securing the end user base can have a wide security impact by reducing the chances that a user is compromised through browsing certain sites.

Verticals

This technology usually covers the end user browsing experience so it can be widely used in verticals that have a large user base accessing the internet as part of their daily activity.

Challenges

As this directly impacts the user experience, the biggest challenge is around the user adopting the technology for safely browsing the internet.

Software composite Analysis

0-2 years

Software Composite Analysis (SCA) is a process used for identifying & managing security vulnerabilities in open source libraries & packages that are used as part of your organizations’ code base. SCA tools can be used to automate the entire process of managing open source components through its life cycle. For custom code built on top of this, Static application security testing (SAST) is performed.

Use cases

SCA helps an organization

  • Analyze & track their code base that uses open source components with known vulnerabilities.
  • Shift left security (Update IDE with latest packages)
  • Shift right security (Update Repos in Production without impacting functionality)
  • Provide detailed security information about the vulnerabilities to help developers fix them

Benefits

Software Composite Analysis enables to identify & address any potential vulnerability that may exist in open source packages used by your application. The effort and money spent could result in potential savings of millions of dollars against

  • Brand Reputation damage
  • Loss of customer trust
  • Statutory / Punitive payments
  • Legal Fees / Class Action Lawsuits

Verticals

All verticals

Challenges

As more organizations start to use open source packages in their application development, the need for software composite analysis will increase dramatically. We believe SCA will gain more traction in 0 to 2 years’ time.

WAF is designed to filter & monitor the HTTP traffic between a web application server & the internet. It provides layer 7 protection against attacks on inbound web flows.
WAF can be seen as the equivalent at upper layers of components like network DDOS protection or network firewalls operating at lower layers.
At layers 4 to 7, the WAF tends to work on a rather generic infrastructure-wide scope, often combined with other functionalities like TLS termination, application load balancing.
WAF has contributed to stopping web attacks defined by OWASP in their list of top 10 security risks on web applications.

Use cases

WAF can be provided in various forms

  • WAF network appliance (Bespoke physical or virtual software appliances)
  • Software-based WAF (WAF modules embedded in various equipment such as Load Balancers)
  • Cloud WAF services

Benefits

Most of the application level attacks like SQL injection,
Cross Site
Scripting (XSS), Cross Site Request
Forgery (CSRF) could be eliminated or minimized by deploying a WAF with strict rule set in front of a
vulnerable web application.

Verticals

  • Mandated by regulators in Financial & insurance sector, at least for critical applications in large systemic financial stakeholders.
  • Given the trend toward cloud and API-based architecture, WAF is becoming ever more
    important in all verticals.

Challenges

Configuring a WAF to efficiently detect and block threats can be challenging, since the “legitimate “ traffic
depends on applications to be protected (and thus on application lifecycles).

DCAP provides centralized and consistent security across a variety of DBMSs for both relational and NoSQL databases. Support for cloud DB, big data and NoSQL is expanding as well. Sets and manages DBMS user privileges, monitors user behavior with data and provides audit logs, detects unusual activity, send alerts to prevent a breach, is a critical security control to help meet data residency, protection, and privacy compliance requirements.
Core capabilities of DCAP are maturing, products offering ML to enhance BA, identify user account and gain deeper insight into environments. Capabilities for algorithmic detection of malicious activity are under continuous development.

Use cases

Unification of data security, user activity monitoring, enforcement of access control, attack prevention and audit and forensics analysis and reporting are just a few uses cases in which DCAP can be used.

Benefits

Important addition in preventive and detective technology and to enterprise data security programs because it provides data context against user privilege and activity.

Verticals

Telecommunication, Healthcare and Pharmaceuticals, Banking, Financial, Insurance, Government and Defense, Enterprise, and IT.

Challenges

Lack of coordination of data-centric security policies across data silos resulting in inconsistent data policy implementation and enforcement
Continuous and significant changes in architecture and solutions developed because of exponential growth in data generation and usage
Managing multiple structured and unstructured silos in-premises of in public clouds

Dynamic AST

2-5 years

Dynamic AST (DAST) technology analyzes applications in their dynamic, running state during testing or operational phases. It simulates attacks against an application (typically web-enabled applications and services), analyzes the application’s reactions and, thus, determines whether it is vulnerable.

Most DAST tools can be used to determine what web applications are running within your network by targeting an IP address or IP address range. Dynamic application security testing (DAST) is done from the outside in (black box testing) and identifies vulnerabilities when the application is running. DAST tools crawl web pages to locate web services endpoints, inputs, and outputs; it requires a working version of a web application for the testing to work. Without looking into the source code, dynamic analysis works to simulate penetration testing to uncover exploitable vulnerabilities and business logic issues from a hacker’s point of view, with reliable results.

Use cases

  • network visibility
  • identifying vulnerabilities
  • getting a clear understanding of what apps run in your environment and what sensitive data they handle
  • producing risk profiles of applications
  • detects and helps remediate vulnerabilities in development

Benefits

  • Get a more current picture of what server-based applications or services reside in your network.
  • Help harden application infrastructure, implement production security controls, run effective dynamic application security testing, or target DAST toward specific IP ranges.
  • Some mature organizations with advanced DAST practices make use of DAST wrappers to provide further control over DAST scan configuration and customize relevant to a given code change.

Verticals

All verticals

Challenges

DAST scan takes hours or days to complete.

They can also impact availability in back-end systems.

Other problems/challenges can be

  • Insufficient testing prerequisites to run DAST scans and Microservices architecture results in too many hostnames, or URLs, increasing AST SaaS costs
  • the risk that vulnerabilities can be found too late in the SDLC, resulting in rushed or delayed remediation.

In-app protection

2-5 years

In-App Protection is a security feature we must look to, not only to protect sensitive data that might reach applications that run in untrusted environments, but also because in the new world of mobile, web applications or IoT, the application front end is where the software logic resides, and those front ends must be hardened in order reduce potential attack vectors.

Use cases

  • Hospital conditioning access to private information based on users’ device integrity
  • Bank preventing mobile fraud by thwarting clones and repackaged apps
  • Government preventing breach of confidential data by terminating sensitive app before theft occurs
  • E-commerce company monitoring threat environment by collecting and analyzing mobile security events

Benefits

  • Protects the app from within the app, which means is hard to bypass
  • Cost effective for apps that handle money (like banking apps), because hackers try to exploit those all the time

Verticals

All verticals

Challenges

  • Could be expensive for small companies
  • More strain put on developers, as they need to integrate the SDK (or whatever is provided by the in-app protection vendor) into their app (however, some vendors claim that is easy)

Microsegmentation is a technique used in network security to divide an infrastructure into logical subunits. On top of this segmentation, security controls can be applied in a tailored fashion relative to the specific needs of the subunits. It provides a very elegant alternative in placing multiple firewalls within the infrastructure as well as leveraging a policy-driven security.

Use cases

As this is not a new technology, there are many specific and wide scenarios and use cases:

  • Application segregation: having the capability to control security at the application level helps prevent lateral movement as well as enabling application specific policies to be enforced;
  • Granular security: control traffic and access to/from sensitive workloads or storage;
  • Improved breach containment: Microsegmentation gives the ability to monitor and isolate specific portions of the infrastructure, thus improving response time and limiting the blast area in case of an attack.

Benefits

By using Microsegmentation, the attack surface is greatly reduced, and breaches are contained faster and in a more predictable way. At the same time, since it is a policy driven security approach, it helps a company to continuously stay compliant to regulatory standards and frameworks. This approach also has the benefit of working across different workloads, even if they are physical or virtual or hosted by multiple cloud providers.

Verticals

Microsegmentation applies to all verticals as it is a network-based technology.

Challenges

As it is a proven technique, the challenges usually come around implementing the proper controls so that they are aligned with the business needs as well as continuously monitoring and remediating any policy breaches.

Static AST

2-5 years

Static AST (SAST) technology analyzes an application’s source, bytecode or binary code of multiple programming languages for security vulnerabilities, typically at the programming and/or testing software life cycle (SLC) phases.

The solution should enable enterprises to customize and fine-tune the testing, according to specific coding practices and standard libraries, reducing the occurrence of false positives. A SAST solution can be deployed as a tool and in the cloud. Potential vulnerabilities should be categorized based on their severity.

The use of SAST modules within the IDE during coding and use of extensive penetration testing in the prerelease stage are optional — with the latter usually being a risk-based or compliance decision.

Use cases

  • Audit code and triage issues during implementation
  • Meet The CERT Standard for Safe Software
  • Improve Motorcar Machinations With MISRA
  • Identifying potentially dangerous attributes in a class or unsafe code that can lead to unintended code execution.
  • Identifying a cross-site scripting (XSS) attack

Benefits

  • SAST solutions analyze applications as written, rather than during application runtime.
  • SAST represents the developer’s point of view to make sure that all coding procedures follow the appropriate safety standards to ensure the security of an application from the start.
  • Can be deployed on-premises or in the cloud.
  • Because SAST tools don’t need a running application to perform an analysis, they can be used early and often in the implementation phase of the software development life cycle (SDLC). As a developer is writing code, SAST can analyze it in real-time to inform the user of any rule violations, so you can immediately deal with issues and deliver higher quality applications out of the box while preventing issues at the end of the development process.

Verticals

All verticals

Challenges

  • SAST tools tend to have higher false-positive rates than DAST.
  • In the absence of code dependencies, the SAST tool will be reduced in effectiveness or unable to run at all.
  • Although a set of code (“a project”) may be buildable, it may be one component of a larger application design. As a result, the scope of the ad hoc SAST scan would be limited to just the buildable component. If the SAST tool isn’t designed in such a way to require buildable code, it may be less effective since it isn’t looking at the fully integrated codebase. In the absence of effective incremental scanning capability, you will need to evaluate the full codebase, parse results post scan (such as with an AVC capability) and filter out previously detected issues.
  • Some languages do not support SAST, and the workarounds are shift testing focus to DAST or IAST until vendor adds support and using manual code review and pattern matches for known exploits.

API Security Monitoring & discovery

5+ years

API Security Monitoring, one of the key layers to API security entails the monitoring of the API throughout the production lifecycle. It helps the respective teams keep tabs on the APIs behavior, availability. “Observability” (which includes monitoring) is a major feature of API-based microservices thanks to API gateways or Service Mesh. In a Service Mix like Istio, the Control Plane (the management plane) collects and aggregates metrics from the Data Plane (with production data flows) and can then provision monitoring tools like Prometheus that can be exploited by user portals like Grafana.
API Security Discovery is an important step in securing an API. If you are not aware of a threat you cannot defend against it. APIs silos affect visibility by having partial lists of APIs, under disconnected governance. API discovery is a race between API providers and cybercriminals. ““Service discovery” is an essential feature in an API and microservice architecture, often to extend and refine “load-balancing and service discovery mechanism” already provided at the level of container orchestration (for instance Kubernetes).

Use cases

  • Access Control: OAuth authorization/resource server, access rules definition and enforcement, consent management and enforcement
  • Rate Limiting: Rate limits, spike protection
  • Content validation: input/output content validation, signature-based threat detection
  • Monitoring & analytics: API call sequence checks, decoys, geo-fencing and geo-velocity checks

Benefits

  • Vulnerability & Exploit prevention
  • API Threat detection
  • API behavior and analytics
  • Customer data is secured
  • Prevents against attacks such as stolen token, outside the app scenarios, etc
  • Auditing and incident response
  • API Data and Governance enforcement

Verticals

Large vertical coverage: finance, banking, media, retail, e-commerce, healthcare manufacturing, public sector, business, IoT, etc.

Challenges

Securing APIs is a constant journey and not two applications are alike, development goes trough multiple teams and security risks can occur due to the miscommunication. Documentation is a key factor in the lifecycle of APIs. if documentation is not reliable, it can lead to a misalignment between business goals and security.

Contextual security

5+ years

Contextual security is a technique in which information about the environment, the systems as well as the data that resides in the systems is used in driving security controls and methods implemented. It also a key element in achieving compliance with industry standards in a cost and resource effective manner.

Use cases

  • Increased effectiveness of security decisions: security decisions are enhanced by having and understanding the big picture behind the infrastructure;
  • Efficient security implementation: by understanding each subsystem and the contextual data around it, security controls can be implemented in a more specific way tailored to each system in the infrastructure.

Benefits

Better and more accurate threat discovery and response can be achieved by having a context around security events. This can be achieved by including any additional relevant information, such as corelated events, threat intelligence, flows and connections.

Verticals

As a governance technique, it can be applied to all verticals.

Challenges

Usually, the challenge for implementing this technique revolves around the availability of contextual information. It needs to be in a format that can be quickly searched or attached to security events.
Another great challenge would be the processing of a big volume of data and having it readily available for users in a relevant way.

Crowdsourced security testing platforms

5+ years

Crowdsourced security platform makes use of group of people registered in their platform to test an application for vulnerabilities. The number of people can range from less than a dozen to several hundred testing concurrently. The skillset of the crowd involved can also vary heavily. These platforms offer incentives to high skilled people or high performers to stay in their platform.

Use cases

Crowd Sourcing is best suited for B2C kind of software applications like web application, mobile application, browsers, APIs, OS, firmware in smart devices, smart cars etc., Many large corporations are running the crowd sourced programs on an on-going basis to continuously improve the security of their applications. :

  • Bug Bounty Programs
  • Vulnerability Disclosure Programs
  • Responsible Disclosure Programs

Benefits

  • provide open-ended campaigns with no time limit leading to equal opportunity for anyone to contribute
  • ensure watchful eyes over all versions of the software if the incentives are high enough
  • identify critical & zero-day vulnerabilities faster simply due to sheer size & diversity of crowd skillset
  • crowdsourced penetration testing often yields exploitable vulnerabilities with proof of exploit enabling organizations to stop chasing phantom vulnerabilities

Verticals

All verticals

Challenges

With rapid adoption of Agile / DevOps in organizations, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As they mature in this overall process, we expect organizations to be more comfortable in opening their B2C applications to crowd sourced security testing platforms. We believe this technology will reach its mainstream traction in 5 to 10 years horizon.

Interactive Application Security Testing

5+ years

IAST is a new hybrid model used for identifying application security vulnerabilities by installing an agent-like software instrumented within the application under test. IAST can be further classified into Active IAST & Passive IAST. Active IAST will require a DAST tool to simulate the attack which needs more time and the agent will validate an existing vulnerability resulting in greater accuracy. Passive IAST tools can leverage any form of functional testing (manual or automated scripts as part of CI/CD) to collect data and deliver accurate security findings in less time.

Use cases

IAST works as an effective shift left approach for identifying & remediating security vulnerabilities early before the applications hit production environment.

  • Passive IAST is best suited for DevOps environment with highly automated CI/CD pipeline
  • Active IAST is best suited for environments with non-frequent releases but need high accuracy

Benefits

IAST enables to identify & address any potential vulnerability that may exist in APIs, web services or web applications before they could be exploited by hackers or malicious users.

Verticals

All verticals

Challenges

Security testing tool vendors are realizing the potential that IAST can offer for customers and hence are currently enhancing their SAST/DAST tools to provide IAST tools. As more technology providers promote IAST as their defacto testing tool for Agile or DevOps way of working, we believe IAST will gain mainstream relevance in 5 to 10 years’ time.

Low Code/ no Code security

5+ years

Low-code and no-code development platforms are great tools for rapid software development and quick writing of powerful apps by both technical and non-technical personnel.

Use cases

The adoption of low-code platforms comes with security concerns. To decrease such concerns and have a governed environments, the platform must enforce best practices in coding and facilitate integration with CD/CI processes and tools. Full protection against vulnerabilities for web apps must be granted by the provider alongside third-party certification to guaranty code quality and security.

Benefits

Application development in a low-code platform can be more secure than those created the old-fashioned way, as the platform provider takes on the responsibility of securing their platforms and ensuring the technical quality of the apps build with their tooling. Fast app delivery is another money-making advantage of using such platforms.

Verticals

All verticals

Challenges

  • Security is the main concern related to low-code platform adoption, in particular : lack of visibility, increasing the shadow IT network, no data oversight – with end users put in position to make decision about configurations, permissions and access control, business logic problems that expose data.
  • Custom code, or parts of the app created outside of the native tooling of the low-code platform create security risks as developers risk reintroducing security weaknesses that low-code platforms are designed to eliminate.
  • Integration with external databases, apps, services, also increase security risks as a common developer mistake is not securing the endpoints.

Runtime Application Self-Protection

5+ years

Runtime application self-protection (RASP) is a self-defending security technology that is built into an application or its runtime environment to control the execution of application, raise an alarm in diagnostic mode and prevent an attack in protection mode in real-time.

Use cases

Mission Critical & business critical applications can better self-protect themselves by leveraging RASP technology. It provides an extra layer of protection after the application has been deployed in production. They can protect the application by

  • stopping the execution of a certain operation
  • terminating the session

Benefits

  • Self-protect & defend against attacks by hackers or malicious users exploiting vulnerabilities that may exist in APIs, web services or web applications.

Verticals

All verticals

Challenges

With rapid adoption of Agile / DevOps in organizations, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in security test coverage leading to the introduction of vulnerabilities in production. RASP is a means to quickly make both new and legacy applications self-defending against attacks in production and we believe this technology will reach its mainstream traction in 5 to 10 years horizon.