Virtualization Technology News and Information
Invicti Security 2023 Predictions: An Eagerly Awaited Debut - Application Security Industry Predictions


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

AppSec in 2023: An Eagerly Awaited Debut – Application Security Industry Predictions

By Dan Murphy, Distinguished Architect, Invicti Security

It's no secret that organizations are in a constant battle to secure their web applications against the work of cybercriminals. With the first upcoming Log4Shell anniversary on the horizon, and countless breaches this past year, it's easy to be pessimistic about the future. However, I anticipate that while 2023 will put forth more challenges, there will also be progress from the lessons learned with an increased push for more accurate security solutions.

User error will influence the next year of cybersecurity problems. Breaches exposing sensitive data are now becoming everyday occurrences. Most concerningly, many of the recent attacks were not considered zero-day exploits; they relied on the most simple links of any software process, which was simply human error. Because software is complex and not all team members understand every single line of code, it's difficult to know or predict what may happen if a malicious actor sets their sight on your organization. But as release cycles expedite, errors are more likely to occur. Humans are a critical component of software development, and we need their expertise to quickly release software that takes into account the nuances that AI or ML can't predict. It's necessary to ensure the proper scanning is in place and their work is "checked."

We will continue seeing exploits of Log4Shell. Organizations that are aware of Log4Shell instances have already worked on remediating them. The concern for 2023 is within the older, forgotten systems, where it is unclear who the owner is - or if they're still at the organization. If there's confusion around how a system works and nobody monitors it, it's easy for malicious hackers to slip under the radar. Threat actors will then exploit this vulnerability, using it as a gateway to discover whether a website is compromisable.

Because today's software tends to be a jumble of different components, fixing Log4Shell vulnerabilities isn't easy. When a software developer adds an open-source package that depends on a vulnerable version of Log4j, this developer is unaware that they introduced a vulnerable component into their code. The "unknown" is the most concerning part of the future of Log4Shell. Similar to potential human error threats, having the right tools to identify dependencies can help organizations better protect themselves. 

Government guidance and C-suite communication will be critical for AppSec. While the "unknown" does pose a threat, I anticipate that things will continue improving. These large-scale breaches and vulnerabilities, like Log4Shell, serve as a wake-up call for the InfoSec community. They've even prompted guidance from the White House: last year's Executive Order on Improving the Nation's Cybersecurity communicated the minimum that software companies need to do to protect themselves from bad actors. In addition, according to Invicti research, 73% of organizations anticipate that they'll increase their investment in AppSec in 2023. Communication at this level shows that cybersecurity is worth prioritizing.

Dynamic application security (DAST) delivers protection for your blind spots. Organizations attempting to right the ship should look at the tactics of malicious hackers and use them for good. At Invicti, we're committed to helping companies implement security measures to protect themselves from these attackers. DAST scanning uses the same techniques to deliver DevSecOps professionals an end-to-end view of security debt and direct action items to secure their web apps. It is designed to work as part of the automation process for more seamless integration of security at every step of the development process, which makes it a powerful tool for spotting vulnerabilities and misconfigurations before they lead to big breaches.



Dan Murphy, Distinguished Architect, Invicti Security


Dan Murphy has 20+ years of experience in the cybersecurity space, specializing in web security, distributed systems, and software architecture. As a distinguished architect at Invicti, he focuses on ensuring that Invicti products across the entire organization work together to provide a scalable, performant, and secure dynamic analysis experience.

Published Tuesday, November 01, 2022 7:30 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>