Paul Farrington, Veracode EMEA CTO
Pejman Pourmousa, Veracode VP of Services
Chris Wysopal, Veracode CTO and co-founder
As we said in the introduction to our 10th anniversary State of Software Security report this year, the last 10 years in AppSec saw both enormous change, and a fair amount of stagnation. Part of the reason for the stagnation is that software development is increasing at unprecedented rates, and security is often struggling to keep up. So as we shift our focus from reflection to prediction, we think application security in 2020 will be all about new solutions and best practices to keep up with the pace of development and empower developers to code both quickly and securely. A few AppSec themes we expect to see renewed focus on in 2020 include:
With a security skills shortage, and an explosion of software development, it’s time to get creative to spread security skills and know-how across development teams. A security champions program is becoming a popular way to do this, and we expect to see more of these programs in 2020. In a recently released report, Building an Enterprise DevSecOps Program, security analyst Adrian Lane notes, “I spoke with three midsized ﬁrms this week — their development personnel ranged from 800-2000 people, while their security teams ranged from 12 to 25.” In the same report, he says of assigning security champions to development teams, “Regardless of how you do it, this is an excellent way to scale security without scaling headcount, and we recommend you set aside some budget and resources — it returns far more beneﬁts than it costs.”
A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ﬁx the issues in development or call in your organization’s security experts to provide guidance.
With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.
Metrics that make sense
Metrics — or perhaps more accurately, the right metrics — are crucial for understanding what’s really happening in your AppSec program. They serve a dual purpose: They demonstrate your organization’s current state, and also show what progress it’s making in achieving its objectives.
On the flip side, focusing on the wrong metrics can lead to frustration, disengagement, and a stalled program. If you’ve got an overly stringent AppSec policy – for instance, “fix all flaws found within two weeks” – your metrics will not paint a pretty picture, and your developers will give up before they’ve begun. We think 2020 will be the year of getting AppSec metrics right with smart, achievable, sensible AppSec policies.
We will increasingly see a focus on providing developers with simple cues to encourage the right behavior, but in a realistic way. For example, teams start by classifying those security bugs that are highest priority, those that are important but not showstoppers, and those that, although not ideal, are acceptable to exist. Especially for the first two categories, they then track the average time to fix a security bug, baseline, and then negotiate targets so that engineers and product owners can buy-in. These metrics may ultimately help to determine compensation, but perhaps initially are linked to softer benefits for the team.
Security across the pipeline
We’re seeing organizations start to build security into each phase of the development pipeline, and expect to see more of this shift in 2020. From pre-commit scans in the the IDE (my code), to build scans in the CI pipeline (our code), to deployment scans in the CD pipeline (production code), security testing will cover code from inception to production.
DevSecOps is no longer niche—organizations are moving faster and producing more software than ever before. Scaling is the name of the AppSec game in 2020. AppSec programs that are cumbersome or slow to scale will not last in this new decade. What are the keys to scaling AppSec?
A SaaS-based solution: The time and budget required to quickly scale an on-premises AppSec solution make it ill equipped for a modern DevSecOps environment.
Expert help: Outside AppSec expertise can be useful in helping to establish your security program’s goals and roadmap. More importantly, it can help keep your roadmap on track by guiding developers through the fixing of flaws your scans find.
Security champions: As we discussed in the section above, security champions will be key to doing more with less security staff.
More and more security regulations are specifically calling out the need for application security – from NIST, to PCI, NY DFS, and GDPR. In turn, the need for a documented application security processes will become paramount in the new year. The Financial Services Sector Cybersecurity Profile from the FSSCC is an example of how FinTech firms are trying to unify reporting standards for the various regulatory frameworks.
Demand for secure software
IT buyers are increasingly questioning the security of software they are purchasing. If you can’t answer questions about your security practices or can’t address your customers’ audit requirements, you’re likely to experience lost or delayed sales opportunities. In some cases, prospects will turn elsewhere. However, vendors that can address these security concerns quickly and effectively stand out among suppliers and leverage security as a competitive advantage. A recent survey report we conducted with IDG found that 96 percent of respondents are more likely to consider doing business with a vendor or partner whose software has been independently verified as “secure.”
In addition, thanks to the speed of modern software delivery, we will see the methods for attesting to the security of software change. For example, we anticipate a shift to process-based attestations, such as proof of the security of an application’s development process (as with Veracode Verified), rather than point-in-time third-party pen tests. Point-in-time tests will carry less and less weight as the speed of software updates and changes increase.
What’s behind this demand for proof of security? It stems in part from new, more dire impacts from security breaches. When Target was breached in 2013, it created headlines for a few weeks, but it didn’t really affect its bottom line. Today, that has changed. Now we are seeing acquisitions fail, CEOs lose jobs, and stock values take hits because of breaches. Proving your software is secure will give companies an advantage in 2020.
Continue the conversation – join our upcoming discussion on AppSec in 2020 in our upcoming webinar, AppSec in 2020: What’s on the Horizon.