Year after year businesses face challenges when it comes to security, and 2017 was no different. Instead of trying to lecture the industry about the importance of application security testing, organizations tried to find new ways to bring security front and center.
The problem is that developers don’t have proper security education for today’s world of coding, according to CA Veracode and DevOps.com’s 2017 DevSecOps Global Skills Survey. “With major industry breaches further highlighting the need to integrate security into the DevOps process, organizations need to ensure that adequate security training is embedded in their DNA,” said Alan Shimel, editor-in-chief of DevOps.com. “As formal education isn’t keeping up with the need for security, organizations need to fill the gap with increased support for education.” CA Veracode State of Software Security Developer Guide in November reiterated the need for security education, but noted that it isn’t a one-time proposition. With the threat landscape constantly changing along with application architectures, languages and features, developers need to keep learning application security skills and keep experimentation in their professional and personal lives.
However, with the speed of development moving faster throughout the year, organizations went further than education and evolved the security role.
DevSecOps became a popular term and strategy in 2017 as a way to get DevOps teams to start thinking differently about security and bake it into the entire lifecycle. “The biggest problem today with application security is that the development organization is not goaled to secure their software. They are goaled to release software quickly. Without a mandate and shared accountability between security and development that is measured and reported at every level of the organization, security will continue to be hard,” said Peter Chestna, developer engagement for Veracode.
Other ways teams and developers tackled security is through tools like analytics. Analytics can provide visibility into threats in real-time and respond faster. In addition, shifting security left (which is also a notion of DevSecOps) implements security earlier on in the software development life cycle instead of leaving it to the end.
The year ended with the Open Web Application Security Project (OWASP) releasing its Top 10 most critical web application security risks development teams should be aware of. This is the first time since 2013 OWASP has updated the Top 10. The Top 10 2017 edition includes: Injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.
Looking ahead to 2018, Gartner predicts more organizations will adopt a continuous adaptive risk and trust assessment (CARTA) model as security becomes more important in a digital world.
Technologies that will pose the biggest risk throughout the new year will include intelligent transportation systems, machine learning and smart robots, according to Carnegie Mellon University’s Software Engineering Institute (SEI) 2017 Emerging Technology Domains Risk report.