Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
AppSec in 2023: An Eagerly Awaited Debut – Application Security Industry Predictions
By
Dan Murphy, Distinguished Architect, Invicti Security
It's no secret that
organizations are in a constant battle to secure their web applications against
the work of cybercriminals. With the first upcoming Log4Shell anniversary on
the horizon, and countless breaches this past year, it's easy to be pessimistic
about the future. However, I anticipate that while 2023 will put forth more
challenges, there will also be progress from the lessons learned with an
increased push for more accurate security solutions.
User error will influence the next year of cybersecurity
problems. Breaches exposing
sensitive data are now becoming everyday occurrences. Most concerningly, many
of the recent attacks were not considered zero-day exploits; they relied on the
most simple links of any software process, which was simply human error.
Because software is complex and not all team members understand every single
line of code, it's difficult to know or predict what may happen if a malicious
actor sets their sight on your organization. But as release cycles expedite,
errors are more likely to occur. Humans are a critical component of software
development, and we need their expertise to quickly release software that takes
into account the nuances that AI or ML can't predict. It's necessary to ensure
the proper scanning is in place and their work is "checked."
We will continue seeing exploits of Log4Shell. Organizations that are aware of Log4Shell
instances have already worked on remediating them. The concern for 2023 is
within the older, forgotten systems, where it is unclear who the owner is - or
if they're still at the organization. If there's confusion around how a system
works and nobody monitors it, it's easy for malicious hackers to slip under the
radar. Threat actors will then exploit this vulnerability, using it as a
gateway to discover whether a website is compromisable.
Because today's software
tends to be a jumble of different components, fixing Log4Shell vulnerabilities
isn't easy. When a software developer adds an open-source package that depends
on a vulnerable version of Log4j, this developer is unaware that they
introduced a vulnerable component into their code. The "unknown" is
the most concerning part of the future of Log4Shell. Similar to potential human
error threats, having the right tools to identify dependencies can help
organizations better protect themselves.
Government guidance and C-suite communication will be
critical for AppSec. While the
"unknown" does pose a threat, I anticipate that things will continue
improving. These large-scale breaches and vulnerabilities, like Log4Shell,
serve as a wake-up call for the InfoSec community. They've even prompted
guidance from the White House: last year's Executive Order on Improving the
Nation's Cybersecurity communicated the minimum that software companies need to
do to protect themselves from bad actors. In addition, according
to Invicti research, 73% of
organizations anticipate that they'll increase their investment in AppSec in
2023. Communication at this level shows that cybersecurity is worth
prioritizing.
Dynamic application security (DAST) delivers protection
for your blind spots. Organizations
attempting to right the ship should look at the tactics of malicious hackers
and use them for good. At Invicti, we're committed to helping companies
implement security measures to protect themselves from these attackers. DAST
scanning uses the same techniques to deliver DevSecOps professionals an
end-to-end view of security debt and direct action items to secure their web
apps. It is designed to work as part of the automation process for more
seamless integration of security at every step of the development process,
which makes it a powerful tool for spotting vulnerabilities and
misconfigurations before they lead to big breaches.
##
ABOUT
THE AUTHOR
Dan
Murphy, Distinguished Architect, Invicti Security
Dan Murphy has 20+ years of experience in
the cybersecurity space, specializing in web security, distributed systems, and
software architecture. As a distinguished architect at Invicti, he focuses on
ensuring that Invicti products across the entire organization work together to
provide a scalable, performant, and secure dynamic analysis experience.