Crystal Balling the Future of Application Security

New Generation of Developers Using Modern Code Languages Offer Hope

crystal balling the future of application security

If the past four decades have taught us anything, it’s that predicting the future of computing, software, and networking technologies is something of a fool’s errand. That’s undoubtedly the case when it comes to crystal balling how application security will evolve in the coming five to ten years.

For evidence of the hazards involved, consider the decade-long findings of Veracode’s annual State of Software Security (SoSS) report. The initial report, published in 2010, found that 72 percent of tested applications had at least one security flaw. Who would have predicted that, 10 years later, the latest Veracode study would find 83 percent of tested apps had at least one such flaw, for an increase of 11 percent?

The reasons for the rise aren’t certain – perhaps it’s simply because today’s code-scanning tools are better able to spot vulnerabilities than their predecessors. (Also, in a somewhat more reassuring finding, the prevalence of applications with high-severity flaws decreased by 14 percent during the same time period, from 34 percent of applications then to 20 percent of applications today.)

Suffice it to say, trying to anticipate what the 2025 or 2030 SoSS reports will find has its risks. Still, it’s possible to make some educated guesses about the future of application security based on both today’s trends and tomorrow’s likely needs.

We can make at least one prediction with a high degree of confidence: cyber threats and attacks will continue the upward trajectory they’ve been on for years. Organizations developing and deploying applications can be certain they will be under increasing pressure to eliminate as many code-based vulnerabilities as possible.

Some of that pressure will come from regulators. For example, this January, the PCI Security Standards Council issued more stringent standards for the secure design and development of payment software. Software vendors will need to start validating their products against the new PCI Software Security Framework by June 2021.

Complying with security regulations is one thing, keeping customers happy is another. “We’re hearing from our customers that their customers are putting much more pressure on them to write secure code than the regulators,” says Chris Kirsch, who works on product strategy at Veracode.

A study looking at the top 10 computer sciences courses in the United States found that none of them required secure coding classes. “That’s disconcerting,” says Kirsch. “I do expect that to change over the next five or ten years, but we will still have a lot of coders in the industry that don’t have a background in secure programming, and many developers enter the industry from other areas.”

Some more modern coding languages prevent certain classes of vulnerabilities, either because they were created with security in mind or because they automate tricky tasks for the developers, such as memory allocation. Veracode’s SoSS study, for example, found that just 53 percent of apps written in Python had at least one security flaw on initial scan, compared with 87 percent of apps written in C++.

The coming years will also likely see an increase in the automation of security flaw  identification and, to a degree, remediation. Automating flaw remediation is a difficult undertaking, although there are some simple automations already possible. For example, some fixes just require an update to a newer version of an open source library, an automated  process that Veracode offers via its “auto-pull request” capability.

More broadly, says Kirsch, “security will become an automated part of development, in the same way that QA or performance tests are today.” As this occurs, development teams that aren’t performing app security processes today will increasingly do so in the future.

Still, Kirsch cautions, reducing software vulnerabilities will occur incrementally, not overnight. “With legacy software taking decades to phase out,” he says, “we’ll still see a lot of security debt in old software with low business criticality, while at the same time seeing an improvement in the security of newly developed code. The problems will shift but we’ll never be done.”

For further information about how Veracode can help your organization develop secure code and reduce your overall security debt, click here .


Copyright © 2020 IDG Communications, Inc.