It should be no surprise that taken as a whole, organizations are failing at application security. Whether it’s the findings of the Verizon Data Breach Incident Report or the latest studies from Forrester’s The State of Application Security, we know that applications are making it to production with more vulnerabilities than ever, and attacks on web applications have doubled in the most recent year. It’s really time to change how we think about application security, how we protect our applications, and how we detect attacks.
If you look at how most organizations handle application security today, there’s two places where security should be emphasized. First there’s pre-production/development, and ideally organizations should be thinking about security during the development of the application. In the past that meant coding with security in mind and security testing, including SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing).
The second area organizations should be focusing on security for applications is during production or runtime of the application. In the past that has meant security in two places. First the network perimeter, and the use of a web application firewall (WAF), along with the security on the server the application is running on. Most organizations continue to rely on standard anti-virus or Endpoint Detection and Response (EDR) solutions (solutions that are designed for end-user systems, rather than servers) to protect their servers.
Since neither of these areas of security focus have been successful at fending off attacks in the recent years, then maybe it’s time to rethink the way organizations approach application security, both during development and in production. The release of a new NIST SP800-53 Revision 5 Security and Privacy Framework is a good indication that things need to change and gives us insight as to what the next generation of application security is going to look like.
The latest revision of NIST SP800-53 includes the requirement of RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing). It’s a first in recognizing these two…