ForAllSecure Executives Weigh-In on DevSecOps and AppSec in 2021
This is part of an ongoing 2021 predictions series. We’ve asked top cyber experts to contribute their insights and expertise to provide a look ahead at what the new year may bring to cybersecurity.
Dr. David Brumley, CEO and co-founder, ForAllSecure:
"As we look into the new year, we see three trends emerging for the new year for application security.
DevOps/DevSecOps drive fuzzing mainstream. The 2020 Standard C++ Foundation annual survey showed that 37% of developers are now using fuzzing in concert with continuous deployment. We expect fuzzing to continue to grow and become standard in DevOps/DevSecOps pipelines. The main driving factor is speed of delivery, where traditional appsec tools like SAST require a manual review of results due to false positives. This manual review either slows down the overall pipeline, or developers simply don’t look at the results and deploy anyway.
Fuzzing builds on the ethos of actionable results so that pipelines are not stalled with manual review. Fuzzers have zero or very low false positives because they couple every bug report with a witness input that triggers the bug. We are also seeing organizations who adopt fuzzing move more quickly to autonomous and continuous testing. A basic continuous testing environment executes a static set of developer-created tests on each release. The problem is growing your test suite to cover code as it is developed. A modern fuzzer can take a small test suite with lower coverage and autonomously grow it to a test suite with higher coverage. That autonomously increased coverage means more confidence in your deployments.
Rise of product security as a discipline. We expect more and more businesses to create and grow product security as a discipline. Product security unites the authority and budget traditionally owned by cybersecurity with the responsibility and implementation owned by engineering, operations, and response.
A legacy organization may have appsec tools under the CISO budget, and then throw the tool over the fence to engineering for actual day-to-day use. A modern product security team will take an end-to-end approach, from tool selection, purchase, to ultimately being integrated day-to-day into the pipeline.
A legacy organization may have cybersecurity reacting to a new incident, wondering where the instrumentation is in the product to help. A modern product security team will be involved in the design and architecture to ensure that incident response capabilities are baked in.
A legacy organization may leave things like secrets management and user data privacy to the ops team. A product security team will help engineer the product to account for best practices from day one.
Organizations that embrace product security find they are better at building in security earlier, which study after study shows is ultimately cheaper.
Security and reliability become one. You can’t have a secure product if an attacker can make it unreliable. While security has always included the CIA triangle -- confidentiality, integrity, and availability -- security teams have focused most of their effort on the first two. We expect this to change in 2021, with analysts predicting the API testing market to grow to $5.1 billion by 2023.
Reliability -- especially for APIs -- is growing because our reliance on APIs is increasing, while at the same time how we develop software has changed. Modern software stacks are written as a collection of microservices, with each service written in a type-safe language that better guards against low-hanging vulnerabilities. However, it also makes reasoning about how all the services may interact harder and harder. We expect appsec teams to increasingly orient to checking availability, especially on how malicious requests between APIs and microservices may bring down the overall application and business."
Alex Rebert, co-founder, ForAllSecure:
"DevSecOps adoption is on the rise amongst business leaders who wish to hold software development teams accountable for stronger system-wise data security. This trend will only continue to increase next year, and we will see an even greater number of development teams include cybersecurity in each part of the life cycle.
What will we see as a result of this transformational change? I’ve recapped my top three predictions for what development teams should expect next year:
Fuzzing will become the 3rd pillar of testing, as fundamental to quality as unit and integration testing. Amid demands to push more testing left, the time is ripe for automation technology to evolve approaches to software testing. Fuzzing, combined with property-based testing techniques, are significantly more effective and efficient than traditional testing methods. Developers will spend less time on testing while writing better tests. As organizations see gains from property-based fuzzing, we will see deeper integrations between fuzzing techniques and testing framework in 2021.
Rust goes mainstream. Rust will continue to mature and will become a preferred language for new projects. Developers have found that it offers performance without compromising safety. Microsoft, Amazon, Apple, Cloudflare, and many others are transitioning projects to Rust, or selecting rust as the language of choice for new projects. While there is always a new hip language, and it is certainly that right now, Rust’s offering is unique and is likely here to stay.
The rise of OpenAPI & its impact on API security. Web frameworks are increasingly adopting OpenAPI and offer the ability to automatically generate an API specification. Those specifications unlock new security techniques: WAFs rejecting out-of-spec requests or responses, blackbox API fuzzing, … In the upcoming year, OpenAPI specs will become even more commonplace, and DevSecOs tools are going to leverage them to unlock more value."