Application Security Trends 2014 and Beyond

One needs to understand that Application Security over the years has become more of a practice rather than technology. The increasing number of attacks on mobile and web applications of very prestigious customers across the globe, has given a serious scratch to the grey cells of senior management of these top IT companies and nightmares to CISOÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s. ItÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s become evident that Application security can no longer be treated as an aftermath, but more of a religious practice as part of the daily IT SDLC. However this may not guarantee an unbreakable Iron Fort for these companies to secure their data but at least will provide a 24/7 vigilance mechanism of what to prioritize, where to invest and how to protect. For this to happen one needs to understand the key trends which will drive the spending and protection of the application for 2014 and beyond. Last year had been the year of hacks for big companies, 2014 and beyond shall also see similar hacking trends. However, it shall either remain similar or go down in terms of number of applications hacked and less million data stolen. The industry will definitely see a higher level of maturity in terms of application security than ever before.The first and foremost step has always been security testing, where increasingly more number of organizations will ask for Penetration Testing report for applications developed by third party. The test criteria not being restricted to functional aspects alone but even security aspects. For large business moving onto cloud, will stress on all their applications to be tested before positioning it as a Cloud based Service. Organizations with more than 100 applications will strive to prioritize their efforts and spending, but will definitely end up testing more than 90% of their applications at least once a year. Testing all the apps shall be one of the priorities of the CISOs.DAST (Dynamic Application Security testing) had been the primary mode of application security testing and will continue to be so for almost all the organizations. It is the easiest to adopt and gives exactly the perspective of an external attacker who will not have access to your code. The subsequent step would be to have the SAST conducted. For Web based Applications there is resistance towards providing binaries or the code. However for mobile applications organizations are more willing to provide the binary for the client side application. Though organizations understand the importance of combining SAST and DAST, it is the Mobile Application testing which shall drive higher adoption for this combination of security testing. More security sensitive organizations at a higher maturity level shall conduct SAST and DAST together for Web and Mobile applications.Industry experts claim and state that, Application Security testing will no longer be treated as a standalone activity, but will evolve into a long term Application Vulnerability management program. Most of the large organizations shall outsource application security testing as a continuous program. The industry shall see higher number of integration of vulnerability management program and the preventive solutions like SIEM/WAF. This shall become one of the criteria of choosing their security testing partners.The mature organizations shall ask for Business Logic testing as a mandatory requirement. The importance of logical vulnerabilities in application security testing is one of the less focused topics by the security testing product vendors. Logical vulnerabilities are the most critical and difficult to detect and most of the security testing products or cloud solutions are unable to cover this. More mature organizations will seek for domain specific expertise for testing. A bottom line conclusion being, the organizations vigilant of these trends and being prepared for can be more resilient to attack and can recover at a faster pace when hacked, compared to ones who are less matured.

Rate this article: 
Average: 1 (1 vote)