We had the opportunity to speak with many application security and cloud security professionals this year, and we decided to synthesize those conversations and add our own take on the topics that are top of mind for security professionals. The result is this list - Oxeye's Appsec Predictions for 2023. At a high level, the themes that have emerged include the dissolution of the barrier between appsec and cloud security for modern, distributed applications. This is a two-way street, with impact that goes both ways, while the status quo, where AppSec and Cloud Security pros are focused on their respective areas, still remains. Part of the reason for this is that legacy appsec and cloud security vendors have for the most part skirted the issue, and don't speak fully about the impact of each on the other. Other things that emerged in our conversations? Security leaders will not put up with approximations, and poor visibility into their risk exposure, 'shift left' has very real shortcomings that bog companies down in their goal of accomplishing digital transformation and must change, and software supply chain will become a lot less confusing as a result of a clearer set of definitions.
- Application security and cloud security are going to converge
As more and more applications are built using a cloud native approach - distributed applications that use containers on the cloud, where vulnerabilities can span microservices and traverse the infrastructure layer, the distinction between application security and cloud security has blurred. Application security is now affected by the underlying cloud infrastructure, while cloud security now has to take the application layer into account in their attack path analysis. For appsec professionals, this means that they have to explore how to perform accurate analysis of cloud native applications, which combine code and cloud analysis. For cloud security professionals, this means finding a way to add application layer analysis into their existing security posture.
- ‘Shift left’ will become ‘Shift everywhere’
For the last decade, people have been talking about shifting left. The truth is, the more static your analysis is, the more false positives you get, and the greater the alert fatigue. Running a SAST tool doesn’t actually tell you what your application risk is, only that you have a bunch of vulns, some real, some not. There’s a real need to tie runtime analysis to signals that you’re getting from your static scanners, so that you get contextual knowledge of what’s happening in your applications. Intelligent analysis that combines signals that you derive from static analysis with signals that you get from runtime analysis (shifting a bit to the right) will provide greater truth about the vulnerabilities in your applications, and a true understanding of how they contribute to overall risk.
- The C-Suite will demand greater visibility into the risk contributions of applications and the teams that build them
The days when the greatest challenge for the appsec team was ‘What vulnerabilities are in our applications, and how do we remediate them?’ will go away, and will be replaced by the need to establish and report metrics on the risk contribution of each application, and the chain of accountability to the teams that are responsible for their production and security. Leaders will want to know this so they can allocate resources accordingly to lower their overall risk exposure. This will force appsec teams to find tools that provide detailed, high fidelity risk profiles for each application within their care that include the ‘risk score’ of their applications (calculated from the total, type, and severity levels of the vulnerabilities that are left unremediated), the type of data that these applications collect, transfer and store, and the number of records that are collected, among others.
- There will be a demand for clearer prioritization data, making the Vulnerability Exploitability Exchange (VEX) more popular
Vulnerability management typically means sorting through a mountain of noise to try to figure out what really needs to be remediated, and what doesn’t, and how to prioritize remediation efforts. Appsec professionals will demand that tool vendors provide them with clear data on the relative levels of risk that each vulnerability presents, so that they’re not left guessing what to remediate first, and have to assign precious resources to manual prioritization efforts. This shift will demand a clear, consistent data format for communicating the prioritization information, that’s machine readable to enable automations and integrations. The Vulnerability Exploitability Exchange (VEX) will become more popular as a result.
- Software supply chain security will finally have a clearer definition
But it’s not a simple one. Ask 10 different people what software supply chain security is, and you’re likely to get 10 different answers, some, really lengthy and confusing. As software supply chain security continues to receive more scrutiny, a more precise and consistent definition will emerge, but it likely won’t be a simple, one-sentence definition, but rather, clearly defined categories that each have their own definitions and requirements.