Source: Viacheslav Yakobchuk/Technology via AdobeStock.
In a recent study conducted by 451 Research, a part of S&P Global Market Intelligence, we explore key pain points in application security, the primary users of application security testing (AST) tools and where those tools are applied, requirements around API security, and the key features that lead to the recommendation and repurchase of AST tools.
The take
As generative AI is increasingly applied to information security, a key emerging use case is the ability to take a corpus of existing code and use it to generate predictive corrections for static AST (SAST) analysis findings. While much has been said about GenAI’s potential to enhance developer productivity by generating usable code in integrated development environments, automating code patches for security vulnerabilities may enable similar efficiency gains in application security. Similar to the acceptance of code generation, the success of this approach in leveraging AI will depend on practitioners’ opinions about whether the code being generated is trustworthy and usable. Developers’ and security professionals’ level of trust in generated code patches will determine whether fixes are accepted out of hand, accepted after manual review or rejected outright. Data from early application security respondents shows a willingness to leverage generative AI for this purpose: 33% of respondents are confident in the results they are seeing and would automatically apply such code fixes. Around 44% are willing to do so after reviewing the suggested code modifications, and an additional 17% would review code change suggestions, but would implement their own. Meanwhile, 6% are not interested in AI-suggested code changes.
Summary of findings
Managing open-source vulnerabilities is the most cited pain point among application security respondents, with a regular drumbeat of serious industrywide open-source attacks over the years, from Heartbleed to Log4J. This year’s attack on the XZ Utils compression library is the latest reminder of the fragility of the open-source ecosystem, and the need for tools and practices to quickly identify and patch insecure libraries, such as software composition analysis (SCA). This particular software supply chain attack involved a difficult-to-find backdoor being installed into liblzma, a component of the XZ library used in OpenSSH on many popular Linux distributions. The attack was conducted patiently over a period of years, leveraging social engineering techniques that preyed on the collaborative maintainer culture, which rewards established maintainers with credibility that the maintenance of open-source projects depends on. Perhaps unsurprisingly, 44% of security professionals from another recently conducted study cited short-term plans to implement SCA.
Shift-left — the idea that applying AST tools earlier in software life cycles will catch problems early — remains a work in progress, and represents the least expensive approach to correcting security vulnerabilities within applications. About 45% of respondents run AST tools after new code is introduced, a significant improvement from 34% at the inception of the first time this question was fielded by 451 Research, a part of S&P Global Market Intelligence back in 2015. The use of AST tools is still fairly evenly split between application development and information security teams, but has been trending lately back toward information security. Respondents allocate 55% of AST tool use to the information security team and 45% to application developers. Developers are taking on a portion of the day-to-day testing and security issue resolution process, which is likely one of the only paths to keeping up with the rate of code changes in most organizations.
The use of APIs in modern applications as the primary messaging protocol, as well as the method of communicating with third-party services, continues to grow at an exponential rate. As a corollary, security teams have increasingly specific requirements for dedicated API security applications. Among these are the ability to test APIs for security vulnerabilities (34%), identify attacks against APIs (34%), identify and prioritize APIs that contain sensitive data (34%) and detect anomalous behavior in API usage (32%).
Data protection and security — two sides of the same coin?
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
Want insights on consumer technology trends delivered to your inbox? Join the 451 Alliance.