The Software Development Trends Challenging Security Teams
September 09, 2024

Joe Nicastro
Legit Security

TechTarget's Enterprise Strategy Group (ESG) recently surveyed 350 IT and cybersecurity professionals and application developers to create a report called Modernizing Application Security to Scale for Cloud-Native Development. The survey results and analysis offer insights into the strategies, tools, and investments security and development teams are leveraging to address modern AppSec. It also generated some compelling data related to AppSec teams' challenges in the face of a rapidly changing development environment.

When asked to identify their top challenges for AppSec teams supporting cloud-native dev processes, "understanding developer environments and assets to effectively manage security" was one of the top three responses provided. With the explosion of innovations like APIs, multi-cloud deployments, containers, and AI-generated code, the attack surface has grown exponentially in recent years, and security teams are struggling to achieve the visibility and context required to effectively mitigate risk.

More evidence of the struggle to keep up with changing development practices emerged in the survey responses about the speed of development and infrastructure as code.

Speed of Development

Software development cycles today run at a lightning-fast pace and often leave security teams struggling to keep up. When asked about the security challenges with faster development cycles, survey respondents cited the following three areas as their top challenges:

■ Prioritizing needed remediation based on business criticality, reachability, or exploitability (35%)

■ Security lacks visibility and control in development processes (34%)

■ Software is released without going through security checks and/or testing (34%)

With the intense pace of development, chasing down each and every vulnerability becomes unfeasible – it is therefore not surprising to see prioritizing remediation top the list of challenges. Security teams can't afford to spend time, money, and effort fixing something that doesn't actually represent real risk to the organization.

What's missing is contextual prioritization of the overall development environment in order to select which vulnerabilities to fix first based on the impact to the business. Security teams should aim to shift the focus to overall product security rather than creating silos for cloud security, application security, and other components of the software supply chain. They should also seek out a clear view of the full software factory, its assets, its owners, its security controls, its vulnerabilities, and how all are related.

Increasing IaC Misconfigurations

With the software development factory becoming increasingly complex and automated, there are increasing opportunities for misconfigurations to create risk, and AppSec teams are struggling to manage that increase.

For example, the misconfiguration of build servers is a common problem that creates significant vulnerabilities. Build systems are essentially automated, implicitly trusted pathways straight to the cloud, yet most aren't treated as critical from a security perspective. In many cases, these systems, like Jenkins, for example, are misconfigured or otherwise vulnerable and unpatched.

Another increasingly common risk is infrastructure as code (IaC) misconfigurations.

Infrastructure as code use is exploding as developers look for ways to move faster. With IaC, developers can provision their own infrastructure without waiting for IT or operations. However, with increased use comes increased chance of misconfigurations. In fact, 67% of survey respondents noted that they are experiencing an increase in IaC template misconfigurations. These misconfigurations are especially dangerous because one flaw can proliferate easily and widely.

Examples of these misconfigurations include:​ 

■ Not using the latest version of TLS ​

■ Relying on username/passwords instead of SSH keys​

■ Creating cloud assets with excessive permissions, i.e., S3 buckets with read/write permissions

Development tool misconfigurations often stem from privileges issues. Many tools are over-privileged because they're easier to integrate if users have full access. To avoid this in IaC, security teams should pay special attention to access controls in IaC definitions:​ 

■ Determine what users need to do, then craft policies allowing them to perform only those tasks.​ 

■ Do not allow all users full administrative privileges.​

■ Start with a minimum set of permissions and grant additional permissions as necessary.​ 

Context and Clarity

It's clear that modern software security requires better context and more clarity. With the speed and complexity of development environments, security teams need visibility that allows them to make sense of the complexity and move at the speed of development, but current application security tools are falling short.

With different application security tools scanning code in different ways across the development lifecycle, most AppSec tools generate a lot of results without a lot of context. Without contextual risk ranking among applications and vulnerabilities, either "everything" is a priority, or "nothing" is a priority.

Additionally, AppSec teams need the kind of visibility that is standard for endpoint and network protection — where security teams collect a complete list of assets and a map of the environment to know what needs to be protected and where proper controls should be put in place.

For example, creating an automated SDLC asset inventory for development pipelines allows security teams to apply security policies to that inventory and check for risky violations — quickly and accurately. Threat modeling will then allow the team to identify risky implementations before starting development.

Joe Nicastro is Field CTO at Legit Security
Share this

Industry News

October 03, 2024

Check Point® Software Technologies Ltd. announced its position as a leader in The Forrester Wave™: Enterprise Firewalls, Q4 2024 report.

October 03, 2024

Sonar announced two new product capabilities for today’s AI-driven software development ecosystem.

October 03, 2024

Redgate announced a wide range of product updates supporting multiple database management systems (DBMS) across its entire portfolio, designed to support IT professionals grappling with today’s complex database landscape.

October 03, 2024

Elastic announced support for Google Cloud’s Vertex AI platform in the Elasticsearch Open Inference API and Playground.

October 02, 2024

Progress announced the recipients of its 2024 Women in STEM Scholarship Series.

October 02, 2024

SmartBear has integrated the load testing engine of LoadNinja into its automated testing tool, TestComplete.

October 01, 2024

Check Point® Software Technologies Ltd. announced the completion of its acquisition of Cyberint Technologies Ltd., a highly innovative provider of external risk management solutions.

October 01, 2024

Lucid Software announced a robust set of new capabilities aimed at elevating agile workflows for both team-level and program-level planning.

October 01, 2024

Perforce Software announced the Hadoop Service Bundle, a new professional services and support offering from OpenLogic by Perforce.

October 01, 2024

CyberArk announced the successful completion of its acquisition of Venafi, a provider of machine identity management, from Thoma Bravo.

October 01, 2024

Inflectra announced the launch of its AI-powered SpiraApps.

October 01, 2024

The former Synopsys Software Integrity Group has rebranded as Black Duck® Software, a newly independent application security company.

September 30, 2024

Check Point® Software Technologies Ltd. announced that it has been recognized as a Visionary in the 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.

September 30, 2024

Harness expanded its strategic partnership with Google Cloud, focusing on new integrations leveraging generative AI technologies.

September 30, 2024

OKX announced the launch of OKX OS, an onchain infrastructure suite.