By Chris Leffel
Applications are a key piece to the digital transformation puzzle. They are also a moving target, as many organizations move current mission-critical apps to the cloud, while developing new ones, while working to keep them all updated and secure without enough skilled hands to manage it – all while cybercriminals wage war. You see, applications are a cybercriminal’s favorite target. In fact, according to a recent report, web and mobile application attacks have spiked, accounting for 67% of all attacks as remote-access becomes a common vulnerability. Basically, the remote work environment has been a field day for bad threat actors. You can bet that cybercriminals are innovating and scaling as we speak, making application security more important than ever.
The state of application security is rapidly changing, and businesses must transform accordingly. We’re seeing five trends in app development that make security more challenging.
5 challenging app sec dev trends
The speed of change: The pace of software releases has increased dramatically. Not so long ago, a major software release was every year or two – every six months if a company was really pushing the envelope. Now, in some cases, companies are pushing thousands of changes to an app each day. Some organizations are targeting an hour-long development cycle, instead of a months-long one. Security can take a back seat to quickly going to market with new features.
New ways to build: In the past, software was built to be monolithic and server-based, where development teams would write a bunch of code that would set on a server that interacted with web browsers.
But in recent years, companies are breaking up these huge pieces of software and turning them into collections of cloud-native containers, strung together with application programming interfaces, or APIs. The new app development model is focused on microservices that are then packaged together to create a full-featured app package. This can create a wider attack surface where one vulnerability in one microservice can give attackers a foothold or access to customer data.
Tearing down walls: For several years, organizations have been moving from separate software development and operations teams to combined DevOps teams, and that trend is accelerating during the age of apps. As part of the move to DevOps, organizations are moving to an infrastructure-as-code model, with configuration files created that contain a company’s infrastructure specifications, making it easier to change configurations.
Organizations are no longer putting code on servers but instead are writing infrastructure code that spins up the number of servers that they need to deploy their code on them automatically.
There are a lot of good reasons to move to the DevOps model, but its focus on a continuous development cycle – and rapidly changing infrastructure configurations – also create challenges for the security team.
Outdated skills: Development technologies are outpacing the knowledge of security teams. Security professionals not only need to learn about new development techniques like microservices, but many companies are operating in multiple cloud environments, with each cloud having its own security idiosyncrasies. Many companies also use multiple container platforms, each with its own security model.
Security professionals have a difficult time staying current with all the development techniques and environments their companies are using. There are literally an unreasonable number of things changing all the time for a security professional to keep up with.
A new voice: In addition, development teams are gaining more of a voice in security issues. In many ways, that’s a positive change, but it can create tension between traditional security professionals and developers who want to release apps quickly. Developers, often with pressure from company executives to increase revenue, are frequently pushing for speed, while security teams are often pushing back to protect the company and its assets.
These trends will only intensify. Companies now building their revenue streams with dozens of rapidly developed apps should consider approaching app security differently. The Modern AppSec Framework delivers a functional plan with which organizations can use to develop and deliver secure applications, regardless of where they are in their security or application development journey. More on how to modernize your approach to application security can be found in our white paper here.