Virtualization Technology News and Information
Article
RSS
Mend.io 2024 Predictions: 6 AppSec Resolutions for 2024

vmblog-predictions-2024 

Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

6 AppSec Resolutions for 2024

By Jeff Martin, Vice President of Product, Mend.io

Software security is by far one of the most critical priorities for 2024 and beyond. And while there are many components of effective software security, success hinges on the application layer. Research has found nearly half of all data breaches over the past several years originated at the web application layer.

But some application security programs are more effective than others. A recent survey of 350 application developers and senior security decision makers identified six distinct characteristics of organizations that can prioritize vulnerabilities and effectively remediate them.

Organizations looking to improve their AppSec efforts should consider adopting these characteristics in the coming year.

1.  Fully embrace DevOps

Organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to report they have extensively embraced DevOps (46% vs. 20%). DevOps processes such as continuous integration and deployment (CI/CD), containerization, automation testing, and collaborative deployment all contribute to increased agility and greater integration of security practices in the software development lifecycle (SDLC).

2.  Adopt automation of security workflows

Those organizations that incorporate security processes into DevOps processes and developer workflows are able to optimize remediation efficiency. In fact, those able to keep up with vulnerabilities are 3.3 times more likely to report that they have extensively incorporated security into development processes. Automating the identification and remediation of vulnerabilities before deployment to production is one example. Respondents also report using software composition analysis (SCA) tools to audit third-party software components to identify and remediate vulnerabilities.

3.  Treat open source vulnerabilities with urgency

Open source software (OSS) is a valuable tool for developers to build sophisticated software quickly, but ensuring the security of OSS is paramount. Organizations that report the ability to efficiently remediate vulnerabilities were more than twice as likely to report that they treat all open source vulnerabilities in their apps as a "must fix" (60% versus 28%).

4.  Utilize SBOMs and know your code

Organizations able to efficiently remediate vulnerabilities were also more likely to say they view being able to answer questions about their code - where it came from, who has access, where code is stored, and documented composition of code - as critical. It's no surprise then that organizations point to software bill of materials (SBOM) as a mandatory part of their development process for all applications (47% versus 17%).

5.  Centralize security teams and support developers to execute security work

The fast pace and continuous workflows of modern software development requires a new approach to application security. The organizations able to efficiently remediate vulnerabilities said their security teams are entirely centralized and separate from development teams (53% versus 30%), and their development teams are taking on more security responsibilities with support from security. The data demonstrates the effectiveness of placing security in an oversight and guidance role while developers address security fixes.

6.  Encourage collaboration, early and often

Organizations can address their application security challenges by encouraging collaboration across security, development and IT and aligning on common goals. Additionally, the research found organizations that initiated collaboration during the "requirements and design" phase of the SDLC exhibited a notably lower average of 2.3 serious security incidents, compared with 3.2 incidents experienced by organizations that engaged in collaboration during later stages of the SDLC.

Companies that effectively remediate security vulnerabilities experience fewer security incidents. By implementing the above best practices, security teams can collaborate and align with development to support their workflows and requirements, security teams organizations can optimize their effectiveness to scale with development and, most importantly, mitigate risk to stay ahead of threats.

##

ABOUT THE AUTHOR

Jeff Martin 

Jeff Martin is current vice president of product at Mend.io. Jeff has spent the last 20 years in product roles helping both the organizations he worked for and their customers transform and measure their software risk management processes and practices. He especially enjoys cultural and mindset transformations for their ability to create lasting progress.

Published Thursday, December 28, 2023 7:01 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2023>
SuMoTuWeThFrSa
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456