As we look into the new year, we see three trends emerging for application security.
DevOps/DevSecOps drive fuzzing mainstream. The 2020 Standard C++ Foundation annual survey showed that 37% of developers are now using fuzzing in concert with continuous deployment. We expect fuzzing to continue to grow and become standard in DevOps/DevSecOps pipelines. The main driving factor is speed of delivery, where traditional appsec tools like SAST require a manual review of results due to false positives. This manual review either slows down the overall pipeline, or developers simply don’t look at the results and deploy anyway.
Fuzzing builds on the ethos of actionable results so that pipelines are not stalled with manual review. Fuzzers have zero or very low false positives because they couple every bug report with a witness input that triggers the bug. We are also seeing organizations who adopt fuzzing move more quickly to autonomous and continuous testing. A basic continuous testing environment executes a static set of developer-created tests on each release. The problem is growing your test suite to cover code as it is developed. A modern fuzzer can take a small test suite with lower coverage and autonomously grow it to a test suite with higher coverage. That autonomously increased coverage means more confidence in your deployments.
Find out how ForAllSecure brings advanced fuzz testing into development pipelines.
Rise of product security as a discipline. We expect more and more businesses to create and grow product security as a discipline. Product security unites the authority and budget traditionally owned by cybersecurity with the responsibility and implementation owned by engineering, operations, and response.
Organizations that embrace product security find they are better at building in security earlier, which study after study shows is ultimately cheaper.
Security and reliability become one. You can’t have a secure product if an attacker can make it unreliable. While security has always included the CIA triangle -- confidentiality, integrity, and availability -- security teams have focused most of their effort on the first two. We expect this to change in 2021, with analysts predicting the API testing market to grow to $5.1 billion by 2023.
Reliability -- especially for APIs -- is growing because our reliance on APIs is growing, while at the same time how we develop software has changed. Modern software stacks are written as a collection of microservices, with each service written in a type-safe language that better guards against low-hanging vulnerabilities. However, it also makes reasoning about how all the services may interact harder and harder. We expect appsec teams to increasingly orient around checking availability, especially on how malicious requests between APIs and microservices may bring down the overall application and business.
Thank you for subscribing!