Industry executives and experts share their predictions for 2020. Read them in this 12th annual VMblog.com series exclusive.
By AppSec Industry Experts of Veracode
AppSec Themes to Watch in 2020
As we said in the introduction to our 10th anniversary State of
Software Security report this year, the last 10 years in AppSec saw both
enormous change, and a fair amount of stagnation. Part of the reason for the
stagnation is that software development is increasing at unprecedented rates,
and security is often struggling to keep up. So as we shift our focus from
reflection to prediction, we think application security in 2020 will be all
about new solutions and best practices to keep up with the pace of development
and empower developers to code both quickly and securely.
A few AppSec themes
we expect to see renewed focus on in 2020 include:
Security champions
With a security skills shortage, and an
explosion of software development, it's time to get creative to spread security
skills and know-how across development teams. A security
champions program is becoming a
popular way to do this, and we expect to see more of these programs in 2020. In
a recently released report, Building an Enterprise DevSecOps Program, security analyst Adrian Lane notes, "I spoke with three
midsized firms this week - their development personnel ranged from 800-2000
people, while their security teams ranged from 12 to 25." In the same report,
he says of assigning security champions to development teams, "Regardless of
how you do it, this is an excellent way to scale security without scaling
headcount, and we recommend you set aside some budget and resources - it
returns far more benefits than it costs."
A security champion is a developer with an
interest in security who helps amplify the security message at the team level.
Security champions don't need to be security pros; they just need to act as the
security conscience of the team, keeping their eyes and ears open for potential
issues. Once the team is aware of these issues, it can then either fix the
issues in development or call in your organization's security experts to
provide guidance.
With a security champion, an organization
can make up for a lack of security coverage or skills by empowering a member of
the development team to act as a force multiplier who can pass on security best
practices, answer questions, and raise security awareness.
Metrics that make sense
Metrics - or perhaps more accurately, the right metrics -
are crucial for understanding what's really happening in your AppSec program.
They serve a dual purpose: They demonstrate your organization's current state,
and also show what progress it's making in achieving its objectives.
On the flip side, focusing on the wrong
metrics can lead to frustration, disengagement, and a stalled program. If
you've got an overly stringent AppSec policy - for instance, "fix all flaws
found within two weeks" - your metrics will not paint a pretty picture, and
your developers will give up before they've begun. We think 2020 will be the
year of getting AppSec metrics right with smart, achievable, sensible AppSec
policies.
We will increasingly see a focus on
providing developers with simple cues to encourage the right behavior, but in a
realistic way. For example, teams start by classifying those security bugs that
are highest priority, those that are important but not showstoppers, and those
that, although not ideal, are acceptable to exist. Especially for the first two
categories, they then track the average time to fix a security bug, baseline,
and then negotiate targets so that engineers and product owners can buy-in.
These metrics may ultimately help to determine compensation, but perhaps
initially are linked to softer benefits for the team.
Security across the pipeline
We're seeing organizations start to build
security into each phase of the development pipeline, and expect to see more of
this shift in 2020. From pre-commit scans in the the IDE (my code), to build
scans in the CI pipeline (our code), to deployment scans in the CD pipeline
(production code), security testing will cover code from inception to
production.
Scaling: DevSecOps
is no longer niche-organizations are moving faster and producing more software
than ever before. Scaling is the name of the AppSec game in 2020. AppSec
programs that are cumbersome or slow to scale will not last in this new decade.
What are the keys to scaling AppSec?
A SaaS-based solution: The time
and budget required to quickly scale an on-premises AppSec solution make it ill
equipped for a modern DevSecOps environment.
Expert help: Outside AppSec
expertise can be useful in helping to establish your security program's goals
and roadmap. More importantly, it can help keep your roadmap on track by
guiding developers through the fixing of flaws your scans find.
Security champions: As we
discussed in the section above, security champions will be key to doing more
with less security staff.
Regulations
More and more security regulations are
specifically calling out the need for application security - from NIST, to PCI,
NY DFS, and GDPR. In turn, the need for a documented application security
processes will become paramount in the new year. The Financial
Services Sector Cybersecurity Profile from
the FSSCC is an example of how FinTech firms are trying to unify reporting
standards for the various regulatory frameworks.
Demand for secure software
IT buyers are increasingly questioning the
security of software they are purchasing. If you can't answer questions about
your security practices or can't address your customers' audit requirements,
you're likely to experience lost or delayed sales opportunities. In some cases,
prospects will turn elsewhere. However, vendors that can address these security
concerns quickly and effectively stand out among suppliers and leverage
security as a competitive advantage. A recent survey report we conducted with IDG found that 96 percent of
respondents are more likely to consider doing business with a vendor or partner
whose software has been independently verified as "secure."
In addition, thanks to the speed of modern
software delivery, we will see the methods for attesting to the security of
software change. For example, we anticipate a shift to process-based
attestations, such as proof of the security of an application's development
process (as with Veracode
Verified), rather than point-in-time
third-party pen tests. Point-in-time tests will carry less and less weight as
the speed of software updates and changes increase.
What's behind this demand for proof of
security? It stems in part from new, dire impacts from security breaches. When
Target was breached in 2013, it created headlines for a few weeks, but it
didn't really affect its bottom line. Today, that has changed. Now we are
seeing acquisitions fail, CEOs lose jobs, and stock values take hits because of
breaches. Proving your software is secure will give companies an advantage in
2020.
##