Application security finally getting its due

One of the dirty secrets of IT is just how many unpatched vulnerabilities there really are in software running in production environments. Developers are notorious for downloading from various repositories older versions of software components that have known vulnerabilities. Even when alerted to the presence of those vulnerabilities it’s not uncommon for application code in the name of expediency to be delivered with those issues unresolved.

Cybersecurity professionals, of course, spend a lot of time looking for those vulnerabilities but are generally powerless to fix them. Long lists of vulnerabilities detected are shared with developers that are often too busy writing more insecure code to find the time required to patch software already running. The result is a massive amount of security technical debt that cybercriminals can readily exploit.

In fact, even after a module is remediated in a production environment it’s not uncommon for it to show up again in another application because some other developer downloaded the same flawed component from a repository. Cybersecurity professionals have, understandably, experienced a lot of frustration with the way software is built and deployed.

Fortunately, in the wake of a series of high-profile security breaches, there is now a lot more focus on securing software supply chains. An executive order issued by the Biden administration that requires Federal agencies to review their software supply chains go the ball rolling. Now there’s pending legislation that would go so far as to prevent Defense agencies from deploying software with known vulnerabilities altogether.

Not surprisingly, it appears enterprise IT organizations are taking note of the same issue. A survey of 500 DevSecOps professionals conducted by Wakefield Research on behalf of Invicti, a provider of dynamic application security testing (DAST) tools, finds nearly three-quarters of organizations (73%) anticipate that they'll increase their investments in application security in 2023.

The issue, of course, is how the budget dollars will be allocated. The trouble with application security is cybersecurity teams generally viewed it as something application developers should be responsible to maintain. Developers, alas, always assumed cybersecurity teams were taking care of this issue on their behalf. There is now a general consensus that development teams will assume responsibility as part of a “shift left” that promotes the adoption of best DevSecOps practices. The goal of that effort is to embed tools in everything from integrated development environments to continuous integration/continuous delivery (CI/CD) platforms that prevent vulnerabilities from being introduced into applications in the first place.

So long as humans are writing code there are mistakes that will be made. There will as a result always be a need to deploy platforms that secure both applications and the application programming interfaces (APIs) used to access them. However, the number of vulnerabilities being found in applications running in production environments should steadily decline in the years ahead. The issue now is determining to what degree to either patch existing applications faster to make them more secure or replace them with more modern iterations of applications that hopefully won’t require as much ongoing effort to secure.