Virtualization Technology News and Information
Article
RSS
Signal Sciences 2019 Predictions: Cloud Security - New Intelligence and Safeguards for Web Apps

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual VMblog.com series exclusive.

Contributed by Andrea Swaney, Head of Product Marketing for Signal Sciences

Cloud security in 2019: New intelligence and safeguards for web apps

As I'm writing this, I'm sitting among 55,000 friends at AWS re:Invent in Vegas. As organizations become more comfortable with the cloud security controls available to them, nearly every company has at least a toe in the cloud these days. What can they expect moving forward? Here are two key trends I see shaping cloud security in 2019.

Adversary research strengthens app defense

In the year ahead, enterprises will go beyond broad-based strategies based on OWASP Top 10 application threats and focus on unique application threats identified through adversary research.

Web apps were once again the top source of successful attack breaches in 2018-accounting for one in five breaches, according to the 2018 Verizon Data Breach Investigations Report (DBIR). We saw more than a dozen high-profile, large-scale web app attack leaks and breaches against targets including Facebook, Panera, and Fiserv, among others. IDG's 2018 Cloud Computing Survey found that 73 percent of organizations run at least one application in the cloud, and another 17 percent plan to do so in the next 12 months. According to the LogicMonitor Cloud Vision 2020 survey, 83 percent of enterprise workloads will run in the cloud by 2020, including 41 percent running on public cloud platforms. As applications continue this rapid migration, focusing on common OWASP vulnerabilities won't provide adequate coverage for unique application threats.

With advanced monitoring, threat hunting, and prioritization tools available on the market, 2019 will find enterprises focused less on finding potential vulnerabilities, and more on actually fixing the ones that are being exploited to stop the bleeding. By using these tools to get a better understanding of real-time application attacks and exploits, teams can allocate resources based on actual risk, not just the potential severity of a theoretical attack.

We'll also see more companies following the lead of Intuit, which has placed sensors all over its application stack to understand the real threats unique to each application, rather than solely focusing on common OWASP attacks such as forceful browsing, null byte attacks, and unique feature abuse requiring careful instrumentation of request and response flows.

These types of adversary-driven methods have become especially important as developers have gained more freedom in their choice of language. While the risks posed by common languages such as Java and JavaScript are well understood, newer and more exotic languages are less familiar. As we saw in the 2018 SANS Secure DevOps survey, the understanding of new risk is not keeping up with the increased use of risky languages and the speed of development.

Cloud providers fortify through acquisition

With more workloads moving to public cloud-already up to 43 percent, up from 24 percent in 2014, according to Interop's 2018 State of the Cloud Report-cloud providers are going to acquire and integrate more security solutions to detect threats and defend their platforms and customers. Already in 2018, Amazon Web Services acquired Sqrrl for its machine learning capabilities to integrate into GuardDuty. Oracle acquired Zenedge to add capabilities around web defense to compete with Amazon Web Services and Microsoft Azure, which have deeper native and partner offerings due to their more mature ecosystems.

With cloud adoption for application workloads climbing every year, and a continued onslaught of application security breaches, 2019 could be a great awakening for organizations to change the way they approach defense. As risk continues to move away from the network, out to endpoints, and up the application stack, cloud providers will be looking to augment their own security capabilities to assure customers that the proper guardrails are in place.

May you have a happy-and more secure-new year!

##

About the Author

 

Andrea Swaney is head of product marketing and alliances at Signal Sciences. She has spent the last 10 years leading teams to deliver security solutions that have clear business value for customers. When not working to secure the web, Andrea is likely to be found drinking wine on a vineyard somewhere in California or France. Follow her @aswaney

Published Friday, December 28, 2018 7:27 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<December 2018>
SuMoTuWeThFrSa
2526272829301
2345678
9101112131415
16171819202122
23242526272829
303112345