It’s that time of the year again, where everyone under the sun comes up with predictions. We’re not fans of predictions, so instead, we give you Security Journey’s Application Security Things to Watch in 2022. We expect these areas to develop over the next three-hundred and sixty-five days.
Security culture has become a thing over the past few years. It was a fledgling idea when we first started talking about it back at RSA Conference in 2017. Security culture has now reached a stage where it’s being spoken of and applied with much greater focus.
Security culture needs to continue to grow, and organizations need to dedicate resources to thinking about it. Security culture is the culmination of training and education, workforce development, your product/applications security stance, your reputation in the industry regarding security, and your internal security community/champions—worth the investment in 2022.
There are security tools everywhere; whole cottage industries have sprung up around software composition analysis, container security, and the classical categories of SAST and DAST. But how many of those tools truly add value to the developers that commit code? Be on the lookout for tools that add value. Drop the tools that add noise.
Note, because a tool provider claims “developer-first,” it doesn’t mean they have embraced that in their technology. Dig deep into claims and increase your tool quiver with tools that improve the lives of your products AND developers.
We’re watching and hoping that the insecure software supply chain DOES NOT become the new data breach. Think about how you react to data breaches these days. You gloss over the details because data breach has become part of the noise. We need to watch the software supply chain and ensure that we don’t lose our focus.
The historical supply chain issues will push us. We have infiltrated repository, primed repositories, and source swap (typosquatting). Trojan Source adds to the mix, using control characters embedded in comments and strings to reorder source code characters in a way that changes its logic. The software supply chain is already on your radar for 2022 – keep your focus tight.
We’ve been following the Software Bill of Materials work closely. We discussed them with Kevin Greene on the Application Security Podcast, and with JC Herz and Steve Springett under SBOMs and software supply chain assurance.
Build a strategy for SBOM within your organization. Start small. You can’t SBOM everything but pilot something. There could be a time soon where SBOM becomes mandatory by way of market drivers.
We are expecting more application/software security-induced mega-vulns. Log4J/Log4Shell points back to a log injection, which at its root is a lack of input validation). AppSec will be front and center in a not-so-good way. As an industry, we’ve battled mega-vulns before, and we have seen change as a result. Remember, Nimda and CodeRed were the impetus for Bill Gates sending the Trustworthy Computing Memo to all of Microsoft and changing the face of how Microsoft approached security.
In 2022, we’re watching for the flashpoint that brings AppSec even more into the center stage.
Threat modeling is the first thing I recommend for new programs, and it’s the activity to watch in 2022. This is your year if you haven’t begun a programmatic effort for secure design. The tools are maturing, both open source and commercial. The knowledge is available. The books and online guides have been written (Threat Modeling Manifesto). The time is now to execute.
Conclusion
At Security Journey, we’re AppSec Practitioners first. We watch our industry and share these insights because we love this discipline. Watch these things along with us, and put some of these pieces into action with your program!
P.S. My final recommendation for you to watch is our latest AppSec Explained video. We tackled the topic of Outdated Components.