Virtualization Technology News and Information
Enso Security 2022 Predictions: AppSec Must Catch Up to Attackers

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual series exclusive.

AppSec Must Catch Up to Attackers

By Omer Yaron, Head of Research at Enso Security

Digital transformation created a new standard for organizational efficiency almost a decade ago, as enterprises realized that without joining the software revolution they would remain in isolation in the overwhelmingly software-intensive global market. Since then, the development of homegrown applications which accelerate business has become increasingly agile and automated, bolstering developers who were previously bogged down and frustrated by the time and resources they devoted to writing thousands of lines of code. This agility has removed roadblocks for modern software development, which is great for productivity - and highly concerning for application security.

The lines of codes developed by organizations have become its most critical business assets, and AppSec teams struggle to secure them. As the Head of Research at Enso Security, the first Application Security Posture Management (ASPM) company, I've witnessed the challenges AppSec teams face in tracking applications across environments, measuring risks, prioritizing tasks and attempting to make sense of the chaos inherent in securing modern software development. I believe that organizations cannot afford to be complacent about this growing gap between application development and security, as threats abound and software is an easy and accessible target. In order to overcome the impending threats I foresee for the years ahead and are detailed below, AppSec has to become an automated, systematic discipline, without interfering with development.

Cyberattacks against applications will accelerate.

When it comes to application security, 2021's software supply chain attacks are proving to be just the tip of the iceberg. While cutting-edge on-prem, cloud and SaaS security solutions have rapidly developed in the past few years, creating barriers for attacker discovery and exploitation of penetrable infrastructure, malicious cyber actors continue to seek alternative access points to valuable assets. This has pushed cyber-crime to explore common weaknesses in applications.

Software security (like software engineering in general) is a highly complex process built upon layers of time-consuming, detail-oriented tasks that still require human intervention. However, software security engineers account for less than 0.5% of software developers globally. These minimal AppSec teams are overwhelmed by gaps in visibility and the magnitude of information received from security products, and have no time or resources to adequately address critical security flaws. They are ultimately unable to thoroughly secure applications.

The level of sophistication demonstrated in the major reported events of the past year suggests that some groups have the ability to weaponize exploits against various key instruments of software engineering, from the IDE to the code repositories and build automation, and of course, the runtime itself. For attackers, the "software eating the world" era opens a world of opportunities, where many businesses (new and existing) rely on software - without thoroughly managing the risk of non-resilient applications. We anticipate that this trend will continue, as AppSec has yet to align itself with development agility and current gaps in application security present lucrative opportunities for attackers.

Software security attacks will bolster an unprecedented maturation process for software security.

The idea of restricting code based on its origin has been around for a while, even in widely adopted technological stacks such as Code Access Security, introduced by Microsoft's .NET in the early 2000s. At the time, layered security for third-party code was hardly a necessity. Therefore, such advanced practices have yet to become the standard for secure software engineering.

The alarming effect of recent attacks which severely impacted software integrity, combined with the significant challenge of securing global package management ecosystems, will drive and accelerate industry development and adoption of additional control to secure software from similar breaches. This maturation process is imperative, but in light of its complexity and the sophisticated tools required to manage the risk innate in the use of third-party software components, there is still a way to go.

Malicious actors will exploit this time window and maximize the gains from a variety of attacks, including dependency confusion and various forms of takeovers which will inevitably result in additional attacks and an ensuing acceleration of the maturation process.

Misconfigurations in cloud-based environments will be exploited.

As applications migrated from on-prem infrastructure to cloud-native environments and container-orchestrated architectures in recent years, their inherent vulnerabilities will attract malicious actors who view the cloud as an open and rewarding playing field. Cloud environment configurations are constantly in flux with many automated applicative changes, the implementation of which requires a great deal of attention to detail.

We predict that misconfiguration scanning will mature to identify application-level misconfiguration, and will be used by attackers to automatically scan for vulnerabilities and use automatic exploitation to gain access to cloud resources. Such attacks will result in critical access to the organization's production environments and jeopardize the organization's security posture and development infrastructure.

Looking ahead...

The AppSec space is booming, with new solutions to a constantly growing problem space developing rapidly. These solutions intend to replace outdated platforms which are ridden with blind spots and are miles behind attackers, but must keep top-of-mind the three crucial elements of AppSec which attackers are keen to abuse - visibility, automation and management. Without these fundamental characteristics, AppSec will remain woefully behind.



Omer Yaron 

Omer has practical experience in securing scale cloud-computing and serverless environments from complex authorization architecture design to monitoring and incident response. Furthermore, working at the Israel National Cyber Directorate, Omer took an active role in incident response and digital forensics of nation-level cyber-attacks across large organizations. He also developed certifying courses and methodologies for incident response and triage procedures for the Israeli Cyber Emergency Response Team SOC.

Working at the content core team of Magshimim, Israel's national cybersecurity youth training program, in conjunction with the Ministry of Defence, IDF, and National Cyber Directorate he created cyber-related content and syllabus for exceptional youth in the fields of computer science. Omer holds a BA in Philosophy and Business Management.

Published Friday, December 17, 2021 7:35 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2021>