Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
AppSec Must Catch Up to Attackers
By Omer
Yaron, Head of Research at Enso Security
Digital transformation created a new standard for organizational
efficiency almost a decade ago, as enterprises realized that without joining
the software revolution they would remain in isolation in the overwhelmingly
software-intensive global market. Since then, the development of homegrown
applications which accelerate business has become increasingly agile and
automated, bolstering developers who were previously bogged down and frustrated
by the time and resources they devoted to writing thousands of lines of code.
This agility has removed roadblocks for modern software development, which is
great for productivity - and highly concerning for application security.
The lines of codes developed by organizations have become its most
critical business assets, and AppSec teams struggle to secure them. As the Head of Research at Enso Security, the first Application Security Posture
Management (ASPM) company, I've witnessed the challenges AppSec teams face in
tracking applications across environments, measuring risks, prioritizing tasks
and attempting to make sense of the chaos inherent in securing modern software
development. I believe that organizations cannot afford to be complacent about
this growing gap between application development and security, as threats
abound and software is an easy and accessible target. In order to overcome the
impending threats I foresee for the years ahead and are detailed below, AppSec
has to become an automated, systematic discipline, without interfering with
development.
Cyberattacks against
applications will accelerate.
When it comes
to application security, 2021's software supply chain attacks are proving to be
just the tip of the iceberg. While cutting-edge on-prem, cloud and SaaS
security solutions have rapidly developed in the past few years, creating
barriers for attacker discovery and exploitation of penetrable infrastructure,
malicious cyber actors continue to seek alternative access points to valuable
assets. This has pushed cyber-crime to explore common weaknesses in
applications.
Software
security (like software engineering in general) is a highly complex process
built upon layers of time-consuming, detail-oriented tasks that still require
human intervention. However, software security engineers account for less than
0.5% of software developers globally. These minimal AppSec teams are
overwhelmed by gaps in visibility and the magnitude of information received
from security products, and have no time or resources to adequately address
critical security flaws. They are ultimately unable to thoroughly secure
applications.
The level of
sophistication demonstrated in the major reported events of the past year
suggests that some groups have the ability to weaponize exploits against
various key instruments of software engineering, from the IDE to the code
repositories and build automation, and of course, the runtime itself. For
attackers, the "software eating the world" era opens a world of opportunities,
where many businesses (new and existing) rely on software - without thoroughly
managing the risk of non-resilient applications. We anticipate that this trend
will continue, as AppSec has yet to align itself with development agility and
current gaps in application security present lucrative opportunities for
attackers.
Software security attacks
will bolster an unprecedented maturation process for software security.
The idea of restricting code based on its origin has been around for a
while, even in widely adopted technological stacks such as Code Access Security, introduced by Microsoft's .NET in the early
2000s. At the time, layered security for third-party code was hardly a
necessity. Therefore, such advanced practices have yet to become the standard
for secure software engineering.
The alarming effect of recent attacks which severely impacted software
integrity, combined with the significant challenge of securing global package
management ecosystems, will drive and accelerate industry development and
adoption of additional control to secure software from similar breaches. This
maturation process is imperative, but in light of its complexity and the
sophisticated tools required to manage the risk innate in the use of
third-party software components, there is still a way to go.
Malicious actors will exploit this time window and maximize the gains
from a variety of attacks, including dependency confusion and various forms of
takeovers which will inevitably result in additional attacks and an ensuing
acceleration of the maturation process.
Misconfigurations in
cloud-based environments will be exploited.
As applications migrated from on-prem infrastructure to cloud-native
environments and container-orchestrated architectures in recent years, their
inherent vulnerabilities will attract malicious actors who view the cloud as an
open and rewarding playing field. Cloud environment configurations are
constantly in flux with many automated applicative changes, the implementation
of which requires a great deal of attention to detail.
We predict that misconfiguration scanning will mature to identify
application-level misconfiguration, and will be used by attackers to
automatically scan for vulnerabilities and use automatic exploitation to gain
access to cloud resources. Such attacks will result in critical access to the
organization's production environments and jeopardize the organization's
security posture and development infrastructure.
Looking ahead...
The AppSec space is booming, with new solutions to a constantly
growing problem space developing rapidly. These solutions intend to replace
outdated platforms which are ridden with blind spots and are miles behind
attackers, but must keep top-of-mind the three crucial elements of AppSec which
attackers are keen to abuse - visibility, automation and management. Without
these fundamental characteristics, AppSec will remain woefully behind.
##
ABOUT THE AUTHOR
Omer
has practical experience in securing scale cloud-computing and serverless
environments from complex authorization architecture design to monitoring and
incident response. Furthermore, working at the Israel National Cyber
Directorate, Omer took an active role in incident response and digital
forensics of nation-level cyber-attacks across large organizations. He also developed
certifying courses and methodologies for incident response and triage
procedures for the Israeli Cyber Emergency Response Team SOC.
Working at the content core team of
Magshimim, Israel's national cybersecurity youth training program, in
conjunction with the Ministry of Defence, IDF, and National Cyber Directorate
he created cyber-related content and syllabus for exceptional youth in the
fields of computer science. Omer holds a BA in Philosophy and Business
Management.