top of page

2022 Cyber Predictions: ‘Shift-Left’ Is Important, but Don’t Over Rotate

Updated: Dec 22, 2021

This is part of our 2022 cybersecurity predictions series. Top leaders from across the industry shared what cyber could bring in the new year.

Michael Isbitski, Technical Evangelist at Salt Security

“Shift-left practices accelerated in 2021 and will continue to do so as we move into 2022. While shift-left has become a great way to ensure that tighter security practices are implemented earlier and throughout the entire application lifecycle, many organizations are over-rotating, which instead creates sizable security gaps and leaves organizations open and vulnerable to attacks. Many fail to understand that a significant amount of API security issues only develop in runtime and therefore cannot be effectively tested or examined prior to delivery on infrastructure. To achieve strong API security, organizations must utilize tools that can continuously check for and remediate all potential API issues. That is why, in 2022, more organizations must focus on developing and embracing a more holistic, full lifecycle approach to API security. This mindset requires a shift away from the desire to test all code with scanning tools, which struggle to provide adequate code coverage and leave business logic unaddressed, and instead demands that practitioners account for an organization’s unique business logic in application source code, as well as misconfigurations or mis implementations of infrastructure that lead to API vulnerabilities and API abuse.

Over the next 12 months, we will also continue to see anomaly detection capabilities rise to enhance API security postures. While development and security teams often lean towards securing front-end code to protect the back-end systems, mistakes made in architectural design or during the implementation of third-party software can be detrimental for business objectives. This in turn can create vulnerabilities that expose systems, users and sensitive data to bad actors. Legacy tooling and a lack of sufficient resources and expertise to understand and manually monitor each individual system can also inhibit anomaly detection.”



bottom of page