Internet AppSec Remains Abysmal & Requires Sustained Action in 2023
Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.
At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers.
The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.
“Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?” he says. “You’ve stripped away those protections and defenses.”
As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.
The Software Supply Chain’s Gaping Holes Persist
Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.
Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.
This increasingly cloudy infrastructure makes users’ human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.
“The…
