
Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Andrea Swaney, Head of Product Marketing for Signal Sciences
Cloud security in 2019: New intelligence and safeguards for web apps
As
I'm writing this, I'm sitting among 55,000 friends at AWS re:Invent in Vegas.
As organizations become more comfortable with the cloud security controls
available to them, nearly every company has at least a toe in the cloud these
days. What can they expect moving forward? Here are two key trends I see
shaping cloud security in 2019.
Adversary research strengthens app
defense
In
the year ahead, enterprises will go beyond broad-based strategies based on
OWASP Top 10 application threats and focus on unique application threats
identified through adversary research.
Web
apps were once again the top source of successful attack breaches in
2018-accounting for one in five breaches, according to the 2018 Verizon Data Breach Investigations Report
(DBIR). We saw more than a dozen high-profile, large-scale web app attack leaks
and breaches against targets including Facebook, Panera, and Fiserv, among others. IDG's 2018 Cloud Computing Survey
found that 73 percent of organizations run at least one application in the
cloud, and another 17 percent plan to do so in the next 12 months. According to
the LogicMonitor Cloud Vision 2020
survey, 83 percent of enterprise workloads will run in the cloud by 2020,
including 41 percent running on public cloud platforms. As applications
continue this rapid migration, focusing on common OWASP vulnerabilities won't provide
adequate coverage for unique application threats.
With
advanced monitoring, threat hunting, and prioritization tools available on the
market, 2019 will find enterprises focused less on finding potential
vulnerabilities, and more on actually fixing the ones that are being exploited
to stop the bleeding. By using these tools to get a better understanding of
real-time application attacks and exploits, teams can allocate resources based
on actual risk, not just the potential severity of a theoretical attack.
We'll
also see more companies following the lead of Intuit, which has placed sensors
all over its application stack to understand the real threats unique to each
application, rather than solely focusing on common OWASP attacks such as
forceful browsing, null byte attacks, and unique feature abuse requiring
careful instrumentation of request and response flows.
These
types of adversary-driven methods have become especially important as developers
have gained more freedom in their choice of language. While the risks posed by
common languages such as Java and JavaScript are well understood, newer and
more exotic languages are less familiar. As we saw in the 2018 SANS Secure DevOps survey, the
understanding of new risk is not keeping up with the increased use of risky
languages and the speed of development.
Cloud providers fortify through
acquisition
With
more workloads moving to public cloud-already up to 43 percent, up from 24
percent in 2014, according to Interop's 2018 State of the Cloud Report-cloud
providers are going to acquire and integrate more security solutions to detect
threats and defend their platforms and customers. Already in 2018, Amazon Web Services acquired Sqrrl
for its machine learning capabilities to integrate into GuardDuty. Oracle
acquired Zenedge to add capabilities around web defense to compete with Amazon
Web Services and Microsoft Azure, which have deeper native and partner
offerings due to their more mature ecosystems.
With
cloud adoption for application workloads climbing every year, and a continued
onslaught of application security breaches, 2019 could be a great awakening for
organizations to change the way they approach defense. As risk continues to move
away from the network, out to endpoints, and up the application stack, cloud
providers will be looking to augment their own security capabilities to assure
customers that the proper guardrails are in place.
May
you have a happy-and more secure-new year!
##
About the Author
Andrea Swaney is head of product
marketing and alliances at Signal Sciences. She has spent the last 10 years
leading teams to deliver security solutions that have clear business value for
customers. When not working to secure the web, Andrea is likely to be found
drinking wine on a vineyard somewhere in California or France. Follow her
@aswaney