Source: Thitiphat/Technology via Adobe Stock.
A study conducted by 451 Research, a part of S&P Global Market Intelligence, explores the key attributes that organization’s security buyers expect when selecting application security testing tools; organizational behavior, including the interplay between application development and information security; and common pain points specific to application security.
The Take
As part of the application security study, a correlation analysis is performed against attributes connected to purchasing application security testing (AST) tools and the likelihood that a survey respondent would recommend that tool to a colleague or repurchase it for their enterprise. Integration with “shift right” tools, or tools that protect applications in production, is highly correlated this year with recommendation and repurchase. For many years, a false dichotomy had developed between proponents of “shift left” (fixing security defects early in development life cycles) and implementing shift-right platforms, largely built around the idea that a web application firewall (WAF) or similar solution could absolve development teams from correcting vulnerable code. This idea was codified in earlier Payment Card Industry Data Security Standards, for example, which suggested teams could do code reviews or implement an application firewall. In the absence of special circumstances, such as a business-critical application where the code is not maintained, both will be the answer for many organizations developing their own applications. Shift-right tooling provides the space for shift-left to work, whether it be near-real-time blocking of novel attack types against a heretofore unknown open-source vulnerability or simply creating space for development teams to correct newly discovered vulnerabilities in a timely but structured manner, instead of issuing panicked patches. It also increasingly helps direct shift-left efforts by helping identify and prioritize production application vulnerabilities.
Summary of findings
Shift-right tools include run-time application self-protection, which has evolved into modern solutions offering runtime protection, WAF, pure-play API security and application security posture management. While ASPM varies in feature sets, the idea is to provide asset inventory and visibility into services, dependencies and data flow within an application, and to provide an idea of risk based on a service’s context (for example, whether it is internet-facing or leverages sensitive data) and potential vulnerabilities. Among organizations with application security tooling in place, 20% have implemented ASPM and another 14% plan to in the next 12 months. There are some roadblocks, however: 30% of respondents identify application protection tools interfering with the running of production applications in unpredictable ways as a key application security pain point.
Data protection and security — two sides of the same coin?
Tools that address API security issues are the most commonly deployed AST solution, implemented by nearly 48% of surveyed enterprises, but it is important to note that the API security market can represent a variety of tools, including runtime protection, code analysis and vulnerability scanning, and these can operate at different levels of depth. WAF is also used by nearly 48% of respondent organizations, and many of these tools have some form of API protection as part of the offering. A pure-play API security market has emerged in the past few years, largely due to perceived weaknesses in WAF’s handling of APIs amid exponential growth in API usage, which is largely due to architectural shifts to microservices-based approaches and the increased use of partner APIs. Detecting anomalous behavior by APIs is the top cited important feature of API security solutions at 44%, and this requires the ability to capture and analyze behavior over multiple API calls. The ability to actively test APIs comes in second with 43% of responses, while the ability to inventory APIs, including identifying which are sensitive and which have authentication, has started to become table stakes as an expected feature.
Managing open-source vulnerabilities (35%) is the most cited application security pain point in this year’s study, with the emergency response to the Log4J security vulnerability still fresh in security practitioners’ minds and an oft mentioned example in security vendor use cases. The mention of software bill of materials (SBOM) in a 2021 Executive Order on cybersecurity, and the industry’s subsequent challenges in evolving to support a couple of common formats, as well as issues regarding SBOM generation, SBOM ingestion and vulnerability identification, have added to the attention on securing open source.
Shift left, the earlier testing for security vulnerabilities in development life cycles, ideally at coding time, continues to gradually improve. In 2015, 34% of surveyed organizations ran AST tools after new code was introduced; this figure has improved to 49% this year. Alongside that, the usage share of AST tools has moved from a 71%/29% split in favor of information security in 2015 to near parity in 2023: 55% information security usage, 45% application development. These shifts have required AST tools to move to a more project contextual basis than an application one, as developers are largely working on a feature or service as part of a project rather than the entire application. They have also required new patterns of interplay between application development and information security, and a greater focus on developer experience when dealing with security concerns, specifically not introducing friction into developers’ processes to the point that developers start to work around security controls or scanning.
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
