Attackers have stepped up their application game in the past year. Sixty-two percent of organizations surveyed by software supply chain security vendor Anchore have been impacted by a software supply chain attack in the past year. The Solarwinds, Kaseya, and Codecov supply chain attacks are reminders of how these attacks affect critical infrastructure and organizations of all sizes. At the end of 2021, US state agencies learned that no agency or organization is too insignificant or application too mundane to be a jumping-off point when they were breached via a livestock web application. In February, Russia’s invasion of Ukraine changed the cyberthreat landscape for organizations around the world.
The good news is that there is an increased awareness and investment in software supply chain security and securing what you sell. According to Forrester Analytics Business Technographics® Security Survey, 2021, more organizations are adopting security testing from design to production and expanding the types of testing and protection they use than in 2020. The “shift left” trend Forrester identified in The State Of Application Security, 2021, continues and has expanded to a “shift everywhere” security methodology in 2022. Here are a few of the highlights from our survey data:
- APIs: Knowing is half the battle; securing it everywhere is the other half. APIs are the building blocks to applications, integrations, and platforms. Microservice architecture, the REST API standard, and the ease of cloud deployment have all contributed to the proliferation of APIs. APIs go beyond enabling applications to execute business logic or connect two systems. Our colleague David Mooter observes that an API business mindset is what transforms your business: viewing APIs as an interface into business capabilities, not applications. APIs unlock value for the organization, but they open a Pandora’s box of woes for the security team. Few organizations can enumerate all their APIs, and as the saying goes, “You can’t secure what you don’t know.” API security tools boast many different capabilities, but discovery is the first step in getting a handle on this aspect of your security posture. Once you have a handle on API inventory, then you must secure them. In Forrester’s 2021 Security Survey, 40% of security decision-makers who are adopting API security reported that they are planning to adopt it in testing, while 43% noted plans to adopt in development.
- Software composition analysis (SCA) is the belle of the ball. SCA’s popularity has grown along with open source usage. Attackers as well as developers recognize the efficiencies that drive development teams to utilize open source and third-party libraries instead of building their own. When 29% of popular open source libraries contain a vulnerability (according to a recent Sonatype report), attackers don’t have to work hard to find targets. SCA helps organizations identify vulnerabilities, license risks, conflicts, and noncompliant usage in open source and third-party components. Many software composition analysis tools are able to generate a software bill of materials (SBOM), an “ingredient list” for products that the US federal government requires from all suppliers as a part of the May 2021 Executive Order on Improving the Nation’s Cybersecurity.
- Bots behaving badly … 2021’s reality TV show. Attackers used bots to take advantage of resource scarcities, supply chain woes, and our fear of empty shelves. Bot attacks rose 32% according to a recent LexisNexis report year over year in 2021. Bots scooped up everything from toilet paper to coveted vaccine appointments. As early as October, experts were warning of the impacts to the holiday shopping season due to a global supply chain meltdown, advising consumers to buy early. Bots didn’t wait for Black Friday to start their holiday shopping. As soon as inventory hit the online shelves in late October, bots started buying up merchandise. Bad actors knew that with the existing shortages and holiday rush they could resell the goods at higher markups on online marketplaces. While the Grinch teamed up with bad bots in an attempt to steal Christmas in the US, Akamai reported that malicious bot activity spiked in India during Diwali celebrations and in China on Singles’ Day, both major shopping events. Retailers will likely have bot management at the top of their holiday wish list, as only 64% of retail security decision-makers who responded to Forrester’s 2021 Security Survey reported having adopted a bot management solution.
Bots, APIs, and SBOMs are only the tip of the iceberg. Dive into The State Of Application Security, 2022, to get the full picture of what’s in store for this year. Spoiler alert: Jeff is still not likely to be getting a PS5 anytime soon.