There’s a progress problem in application security (AppSec). According to Cloud Security Alliance, the number of global web apps doubled in the last five years from 863 million in 2015 to 1.9 billion in 2020. Yet at the same time, developers and security practitioners are understaffed, overworked, and unnecessarily stressed, all without the proper security tools in place to help them create more secure web apps.
We know from our recent Fall 2021 Invicti AppSec Indicator that a whopping 70% of teams are skipping critical security steps. So if the number of applications is only increasing drastically year over year, why isn’t security making the same progress?
Sonali Shah, Chief Product Officer at Invicti Security, recently discussed this conundrum on a SANS Institute webcast with Dave Shackleford, CEO of Voodoo Security and SANS analyst. Both agreed that while many in the security space have been pushing for best practices and more capable tools for years, it still feels like a struggle.
The attack surface is growing, and so is the risk
With so many web apps floating around today, it doesn’t matter if an organization is large or small. Every company is at risk if they don’t evaluate and adequately secure their attack surface. The Fall Invicti AppSec Indicator also showed us that, for the teams completing coding projects without carrying out crucial security steps, 45% do so frequently. The disconnect in secure software often comes from a lack of education around secure coding best practices and a lack of bandwidth and proper tooling.
As Sonali noted during the webcast, data shows that, on average, enterprises are covering just 20% of their apps. That means organizations are typically leaving 80% of their applications exposed, whether those are apps that the team is unaware of or apps that are still in development. This leads to an increase in the number of costly and brand-damaging data breaches – which are up more than 34x since 2013, according to Risk-Based Security.
Out with the old, in with the new
Legacy tools give security a bad name. They’re slow, don’t cover everything, produce high false positive rates, and they’re not ideal for DevSecOps or shift left methodologies. Sometimes teams are slow to adopt new AppSec tools because they don’t have time or they think it’s too complicated, but as pointed out by the panel: if your scanning tool hasn't been upgraded in years, you’re simply not going to succeed.
AppSec is an area where continuous coverage is critical because everything is changing quickly. That means the days of subpar security are long gone. So what’s the right way to do AppSec today? Dave and Sonali outlined:
- Know your entire attack surface by shifting left and right
- Secure all your apps, not just the 20% you think are most critical
- Automate with CI/CD integrations to speed up processes and save sanity
- Strive for 100% accuracy and tame time-wasting false positives
- Secure your applications continuously throughout the software development lifecycle
While there’s no one single tool that fits all scenarios, it’s important that organizations large and small focus on the tools that will offer speed and accuracy. This, paired with efforts to break down team silos and improve security know-how across the board, is a step towards a security program that works.
Get all the details on unlocking your AppSec future by watching the full webcast here.