Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

A greater focus on application security

By Amy Baker, Security Education Evangelist, Security Journey

Given the incredibly competitive and challenging economic environment, we are seeing a continuous investment across organizations into application development in the race to win market share. Development teams are consequently under significant pressure to quickly produce a viable product, and demands on developers have increased with the amount of code they are managing increasing 100x over the last 10 years.  On top of this, 92% of developers feel pressured to write code faster. Unfortunately, the same degree of urgency isn't being applied to the security of these new applications, and we are seeing that the number of new vulnerabilities within the NIST National Vulnerability Database has increased by 210% in the last several years.

Many of these vulnerabilities could be prevented through writing secure code during the creation of new features and applications. Yet some developers may not realize the importance of learning key security principles or have the knowledge and understanding of exactly how to implement them. It is also unlikely they've had the necessary education; secure coding courses are not a requirement in any of the top 50 university computer science programs in the United States and it seems we are now in something of an Application Security Dilemma.

However, it is not an unsolvable dilemma. The solution requires a shift in the way that many view coding and innovation, to create a clear security first mindset. When developing applications, security must come first and there needs to be recognition from the top that in the race to market, speed doesn't always win if the security of the product is compromised. According to Boehm's law, ‘the cost of finding and fixing a defect grows exponentially with time', a concept that can benefit the bottom line of organizations that prioritize security from the start.

We've outlined our top three predictions for 2023 and suggested how the software development industry can overcome the current AppSec dilemma with programmatic and continuous secure coding training.

1.   Greater developer focus on application security

Even the most experienced developers can inadvertently create insecure code and become a non-malicious insider threat. This is not to say they are intentionally neglecting security best practice, but the lack of available education around secure coding means that it often falls to the bottom of a long list of priorities. We're seeing code pushed with vulnerabilities and therefore application and enterprise risk rising as a result.

It is hard to challenge development teams to empower more secure decision-making and code development if they've never been trained in application security. The reality is that developers typically strive to master their trade and will likely look to prioritize shifting left as part of a longer journey towards DevSecOps and more secure code in 2023. Yet bringing security into the mix earlier and recognizing the value of proactively reducing vulnerabilities requires continuous training and education around key principles that can be applied in any scenario. It's about looking past ‘awareness' of an application security issue and embracing knowledge and education around how to solve these issues, the effects they may have on the application, enterprise and end-user, and why they should be resolved as a priority.

2.   An increasing skills gap alongside budget scrutiny

The skills gap has long been an issue for the cybersecurity and software development industries. Organizations are still struggling to fill a third of key software roles due to market shortages and hiring pressures. While more AppSec tools can support a skeleton workforce, breaches will only continue if development teams don't understand the fundamentals of secure coding.

Security training must therefore be proactive and form a crucial element of any security management strategy. The right education program can ensure that developers become a crucial line of defense and businesses won't need to hire larger teams of equally scarce and expensive application security professionals.

Because 2023 will be a year of increased budget scrutiny. Organizations will be able to reduce costs by investing in the skills of their current development teams rather than recruiting security-specialists from an already narrow market.

3.   Ever-evolving risks

The metaverse and Web3 both pose new threats in the ever-evolving threat landscape. While these are technologies that present great opportunities for businesses, the security risks that come with them have not yet been fully realized. Take the metaverse as an example. This complex system does not have a current standard for how it will run, and most security tools are not designed for decentralized solutions. This creates significant risk as threat actors may be able to slip through the cracks. Secure coding - and education on how exploits occur- will be a vital part of protecting this environment.

There are several challenges development teams are likely to come up against in 2023, including the widening skills gap, tighter budgets and increasing risk from new technologies. However, if application security becomes a key development focus and organizations support their teams with programmatic and continuous secure coding training, the AppSec dilemma is one the industry can definitely overcome. 

##

ABOUT THE AUTHOR

Over her 30-year career, Amy has more than 10 years of experience driving the mission of improving security knowledge for employees in all roles. Her current responsibility is dedicated to improving security knowledge for everyone in the software development life cycle, with a specific focus on developers. Her experience started as a leader at Wombat Security and Proofpoint (post acquisition in 2018). She has spoken at various infosec conferences and webinars about best practices in managing security training programs such as Gartner, SecureWorld, and ISSA.