It’s been nearly a decade since the World Economic Forum described the application economy as a tipping point where software was incorporated into almost everything. This milestone represented a shift towards applications that changed users’ expectations for acquiring information and transacting with brands. Apps also gave companies more control to build sticky relationships with users and a faster way to expand globally. Alongside this app-driven opportunity came warnings for companies and developers that committing to stringent security standards would be required to protect user data.
The mobile app market has seen steady growth of 11.5% CAGR and is poised to reach a total value of just over $366 billion across gaming, entertainment, music, health, social, retail and other sectors by 2027. But what about the “stringent security standards” necessary to bolster consumer confidence? Especially now, with costly breaches making headlines and vulnerabilities such as Log4j and Spring4Shell exposing massive, global challenges associated with leveraging open source and third-party code for application development.
Fireside chat with security experts
To help unravel the trends in application security, we invited topic experts Bruce Schneier and Martin Lee to join AppDynamics app security leader, Randy Birdsall for a lively discussion. With decades of combined experience thwarting bad actors and protecting organizations (and their apps) from vulnerabilities, we weren’t disappointed by the insights and recommendations received. The conversation took interesting twists and turns worth mentioning below and sidebars about security trousers that made us laugh.
Now available for replay on June 21, 2022 — here’s a quick recap:
Current state of global application security
In the webinar session, we heard unilateral agreement that human error is an inescapable top contributor to application security concerns. Fortunately, that’s expected to change over the next decade as machine learning (ML) and artificial intelligence (AI) capabilities become more sophisticated — but for now, we remain dependent on humans who intentionally or not, write and use vulnerable code that can equate to millions in lost revenue for ill-prepared companies.
Challenges with sharing code
Third-party and open source code are arguably necessary to satisfy consumer demand for cutting-edge software, new features, and updates released often and fast. Unfortunately, they are also big contributors of vulnerabilities, making security-first education and internal code audits imperative. As security guru Bruce Schneier mentioned, the US Government finally put forth an executive order on improving the nation’s cybersecurity that includes a software bill of materials (SBOM) to track open source and commercial components in federal software. Thus, making it easier to discover and mitigate vulnerabilities like Log4j and Spring4Shell.
Challenges with security education
Developing a security-first mindset is a given for students on a security track but for student programmers who would benefit from a security-first foundation for coding, it’s a struggle. According to Bruce Schneier, author and lecturer on the topic of cybersecurity, most degree-seeking programmers graduate and enter the workforce without the requisite security knowledge needed. Which causes a trickle-down effect that puts employers in the hot seat for on-the-job education. It can also create an uneven playing field because chances are large companies, especially those with significant technology investments, have security programs in place for education. While smaller organizations and freelance developers remain more challenged to stay on top of constantly shifting security considerations. In other words, something known to be safe one day can be proven otherwise the next day — and best practices become obsolete over time — all of which require continual education regardless of knowledge gained in a classroom or at work.
Application security tips from Cisco
Martin Lee, a technical lead within the Talos Security Intelligence and Research Group at Cisco, is focused on the latest developments in threat intelligence and response. He mentioned that using third-party and open source code can be a good idea because with lots of people looking, vulnerabilities are typically found quite early in development. But that’s not a failsafe and for the past several years, Talos has been involved in finding vulnerabilities in open source code and helping fix them. And Cisco is not the only organization lending a hand.
Reducing exposure to threats
Martin also shared that on average the Talos team finds about one vulnerability for every working day of the year. Quick math, that’s roughly 250 new vulnerabilities per year found by Talos and the number goes up as other collaborators and contributors dedicated to the cause add their findings. Martin suggests we need to think about layers of security and verify and contain software so that if a vulnerability is exposed or the code gets compromised, we’re not enabling it to cause too much damage.
Cross-functional teams — communication is key
Without visibility, reacting fast enough when something goes awry is difficult. AppDynamics security leader, Randy Birdsall spotlighted communication breakdowns on tech teams and that lack of shared visibility across application development chains doesn’t support a shared context upon which teams can collaborate effectively. Bruce Schneier added that tech teams need to audit their own code on a regular basis and Martin Lee weighed in with a need to adopt the mindset of asking two important questions along the entire CD/CI pipeline: (1) What could go wrong? And (2) What am I doing to prevent it? Doing so helps expose security gaps that can be addressed and remediated before code is pushed and users are impacted.
What to expect: The future of application security
What should we prepare for as application security evolves? With resounding agreement, our experts say AI/ML will significantly aid in vulnerability detection. Plus visibility with a shared context across the application delivery chain will likely become the norm for many organizations of all sizes; and AI/ML assisted code development will evolve to help expose vulnerabilities while code is being written, giving developers a chance to fix code before it’s pushed to users.
For more insights from security leaders Bruce Schneier, Martin Lee and Randy Birdsall watch the AppDynamics Modern Application Security Trends replay airing June 21, 2022.