As 2016 winds down, I’ve been reflecting on how far the application security market has come over the past 12 years I’ve been involved in the industry. We’ve come a long way. But as technology continues to evolve, so will application security. The growing trend of continuous development, increasing use of third-party and open-source components, and the surging number of applications means we will continue to see changes to the application security market for years to come. It is an exciting industry.
Because it is the end of the year, I pulled together a list of my predictions for what we will see from application security in the coming years.
SAST-as-a-cloud-service enables IT organizations to focus on application development. It also delegates static application security testing (SAST) to third-party, independent, cloud-based security experts, rather than attempting to hire or train internal experts. Such services assure a high level of accuracy of test results, as well as the ability to scale testing programs. This becomes more important as companies produce more software at a faster pace than ever before.
- SAST solutions that only test applications in their final, pre-deployment form will not be able to keep up with the pace of development. DevOps-enabled SAST tests applications in increments (individual files, code snippets). Results are delivered directly to developers almost instantaneously (within a few seconds to a few minutes), thus making the SAST process continuous, incremental and fast – a perfect fit for DevOps, continuous integration and continuous deployment (CI/CD) processes.
- Growing DevOps and CI/CD adoption hands over application security testing to developers. The application security technology market starts offering SAST specially designed to fit DevOps and CI/CD, where SAST is done in the smallest increments, continuously and rapidly. SAST supports security testing requirements of individual developers, development teams and enterprise as a whole. SAST spreads over programming and testing phases. DAST, which is used mostly at the test phase, lags behind SAST in meeting individual developers' needs, and will yield to SAST in the frequency of use in the software development lifecycle.
As attacks increasingly focus on applications, more enterprises will adopt and expand security programs aimed at testing and remediating their mission-critical applications and even broader portfolio of applications. Static analysis of applications' code, dynamic analysis of running, tested applications, and security analysis of third-party components becomes common practice.
A critical part of such programs will be adoption of software composition analysis (SCA) technology that analyzes third-party (typically open source) software components for known security vulnerabilities, thus assuring that supplied components meet enterprise security standards.