I have wanted to put together some of my thoughts on the trends in application security for quite some time. Finally as I have some time today since it was a day off,I made a deal with my wife that we won’t speak for the next 2 hours.
What I am writing is based on my personal experience while working with more than 300 customers for“Cloud based Application Security Testing”, interactions with several industry analysts, my fellow technologists/security entrepreneurs and a bit of my “gut feel”.
1. Run Time Application Security Protection (RASP)
Today applications mostly rely on external protection like IPS (Intrusion Prevention Systems), WAF (Web Application Firewall)etc and there is a great scope for a lot of these security features being built into the application so that it can protect itself during run time.
RASP is an integral part of an application run time environment and can be implemented as an extension of the Java debugger interface. RASP can detect an attempt to write high volume data in the application run time memory or detect unauthorized database access. It has real time capability to take actions like terminate sessions, raise alerts etc. WAF and RASP can work together in a complimentary way. WAF can detect potential attacks and RASP can actually verify it by studying the actual responses in the internal applications.
Once RASP is inbuilt in the applications itself, it would be more powerful than external devices which have only limited information of how the internal processes of the application work.
2. Collaborative Security Intelligence
By collaborative security, I mean collaboration or integration between different Application Security technologies.
DAST+SAST: DAST (Dynamic Application Security Testing) does not need access to the code and is easy to adopt. SAST (Static Application Security Testing) on the other hand needs access to the code but has the advantage of having more insights of your application’s internal logic. Both the technologies have their own pros and cons,however, there is great merit in the ability to connect and correlate the results of both SAST and DAST. This can not only reduce false positives but also increases the efficiency in terms of finding more vulnerabilities.
SAST+DAST+WAF: The vulnerabilities detected by the SAST or DAST technologies can be provided as input to WAF. The vulnerability information is used to create specific rule sets so that WAF can stop those attacks even before the fixes are implemented.
SAST+DAST+SIM/SIEM:The SAST/DAST vulnerability information can be very valuable for SIM (Security Incident Management) or SIEM (Security Incident Event Management) Correlation engines. The vulnerability information can help in providing more accurate correlation and attack detection.
WAF+RASP: WAF and RASP are complementary. WAF can provide information which can be validated by RASP and hence help in more accurate detection and prevention of attacks.
Grand Unification:Finally one day we will have all the above combined together (and many more) in such a way so that organization can have true security intelligence.
3. Hybrid Application Security Testing
By “Hybrid” I mean combining automation and manual testing in a manner “beyond what consultants do” so that we can achieve higher scalability, predictability and cost effectiveness.
DAST and SAST both have their own limitations. Two of the major problems areas are False Positives and Business Logic Testing. Unlike Network Testing where you need to find known vulnerabilities in a known piece of code, Application Testing deals with unknown code. This makes the model of vulnerability detection quite different and more difficult to automate. So you get the best quality results from consultants or your in-house security experts. However, this model is non-scalable. There are more than a Billion applications which need testing and we do not have enough humans on earth to test them.
It is not a question of “man vs machine” but it is a matter of “man and machine”. The future is in the combination of automation and manual validation in “smart ways”. iViZ is an interesting example that uses the automated technology along with “work flow automation” (for manual checks) so that they can assure Zero False Positives and Business Logic Testing with 100% WASC Class coverage. In fact they offer unlimited applications security testing at a fixed flat fee while operating at a gross margin better than average SaaS players.
4. Application Security as a Service
I believe in “as a Service” model for a very simple reason: We do not need technology for the sake of technology but to solve a problem i.e. it’s the solution/service that we need. With the growing focus on “Core Competency”, it makes more sense to procure services than acquire products. “Get it done” makes more sense than “Do It Yourself” (off course there are exceptions).
Today we have SAST as a Service, DAST as a Service, WAF as a Service. Virtually everything is available as a service. Gartner, in fact has created a separate hype cycle for “Application Security as a Service”.
Application Security as a Service has several benefits like: reduction of fixed operational costs, help in focusing on core competency, resolving the problems of talent acquisition and retention, reduction of operational management overheads and many more.
5. Beyond Secure SDLC: Integrating Development and Operations in a secure thread
Today is the time to look beyond Secure SDLC (Software Development Life Cycle). There was a time we saw a huge drive to integrate security with the SDLC and I believe the industry has made some decent progress. The future is to do the same in terms of “Security+Development+Operations”. The entire thread of Design, Development, Testing through to the Production, Management,Maintenance and Operations should be tied seamlessly with security as the major focus. Today there is a “security divide” between Development and Operations. This divide will blur some day with a more integrated view of security life cycle.
PS:I would invite you to provide your comments, observations or experience regarding the above topic and if there is anything else which you see as a major trend.