For the troops in the trenches, application security can seem like a Sisyphean task. But if they feel that any progress they make keeps rolling back like Sisyphus' rock, they should take heart in the progress AppSec has made in the last five years.
So says Chris Romeo, CEO of Devici and a leading voice in the AppSec and threat modeling community. In his Reasonable AppSec newsletter, Romeo asked rhetorically: Are we getting better or worse at AppSec? One area he focuses on is software supply chain security as a measure of the state of AppSec.
"The supply chain is an area that has seen much change in five years, but that is more due to the tooling and attention that has been placed on this segment of our industry. Yes, we are using open source more, but we still relied upon open source five years ago."
—Chris Romeo
Romeo recommended that AppSec practitioners take a "glass half full" approach and look at all the positives in their discipline:
"Let’s be cybersecurity professionals who are optimistic about the movement we’re causing across our industry. Let’s continue to focus on the people, process, tools, and governance stance of AppSec/ProdSec."
Here's a review of the state of AppSec — and experts' opinions on whether the industry is moving forward fast enough to keep up with the changing threat landscape.
[ Special report: The State of Software Supply Chain Security (SSCS) 2024 ]
The future looks bright for progress in AppSec
Romeo pointed to several areas of progress in AppSec. One example is the rise of more secure programming languages. "Five years ago, we had the same distribution of languages and frameworks," he wrote. "Maybe not everything that exists today existed then, but if anything, we’ve improved the field by including Go and Rust in the modern language field."
Joshua Knox, senior technical product marketing manager at ReversingLabs, agreed that more secure languages are integral to the overall improvement of AppSec.
"There seems to be a consensus that Rust is going to be better for avoiding buffer overflows and some of the gotchas that the C programming language has had. We've seen that in Rust finding its way into the Linux kernel."
—Joshua Knox
However, Chris Hughes, chief information security officer and co-founder of Aquia, noted that the industry still has a long way to go in pivoting to safer programming languages.
"We've seen a lot of evangelism for the shift from groups such as CISA, and while greenfield applications may be able to start off with more secure languages, the vast majority of legacy systems are still written in languages that often precede these more secure languages we see the push for."
—Chris HughesJeff Williams, CTO and co-founder of Contrast Security, said it took 30 years of programming to build the foundation of all computing in C/C++.
"Replacing the foundation with safer languages will likely take much longer. Our C/C++ foundation has the benefit of 30 years of torture to make it strong. However, perhaps a few new projects will choose safer languages from the get-go. I suppose that's a bit of progress."
—Jeff Williams
Progress in container and supply chain security
Container security is another progress area identified by Romeo. "Containers have become more prevalent in five years, but I would argue that they haven’t become more insecure," he wrote. "We haven’t moved the needle as much as we’d like to claim, but we haven’t gotten worse."
While Aquia's Hughes noted that container scanning tools have improved, he said there are still difficulties with disparate outputs and findings across different tools. "We also have seen a lot of guidance from groups such as CNCF, as well as leading cloud-native security companies advocating for container security," he explained.
"Some innovators are offering secure images as a product offering, which helps organizations build on secure foundations. We see so many critical and high vulnerabilities due to container bloat and the inclusion of dependencies that aren't necessarily needed but are vulnerable in base images, and then applications are built on top of those."
—Chris Hughes
ReversingLabs' Knox said that the industry is making good progress on software supply chain security.
"'Shift-left' is working. Everyone knows the mantra now. They know they have to do things like signing commits to make sure the commits are coming from the people we think they're coming from, and scanning code for bad patterns and bad practices, and scanning dependencies for compromise."
—Joshua Knox
While acknowledging the strides made in software supply chain security, Hughes noted that the challenges remain complex and vast in both open-source and commercial products as well as in underlying infrastructure and build systems. Guidance from organizations such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the National Institute of Standards and Technology (NIST), and the Cloud Native Computing Foundation (CNCF) is helpful — but it isn't everything, he said. "Organizations now need to do the hard work of actual implementation so we aren't best practices-rich and implementation-poor. We continue to see increased focus on this problem from security leaders, as well as innovative startups and investments from the venture community to try and tackle the software supply chain challenges."
Contrast's Williams said the only real progress is that organizations are now starting to understand some of the dangers that their software supply chain creates. "But most organizations are still trying to get their heads around their direct use of software libraries," he said. Organizations have a long way to go as they start to realize that they have to think about "transitive dependencies, all the tools in their development pipelines and on their developer workstations, all of the dependencies of all of those tools, etc."
"There are millions of people in the software supply chain for every product, and we know very little about most of them and their intentions."
—Jeff Williams
Don't shame and blame developers
Romeo also called for continued investment in people as essential to improving AppSec. "When we invest in the people and provide them the guardrails and paved roads they need for success, we allow them to help us move AppSec and ProdSec forward to the point where we can claim a significant movement in five years," he wrote.
Williams said AppSec has been advancing rapidly in recent years. "This is by far the most interesting time in the 25 years of my AppSec career," he said. "Governments around the world are trying to figure out whether they want a transparency regime, liability regime, or something else. Personally, I think a transparency regime is ideal, as I don't think the government is well positioned to decide what 'secure' means for the vast range of software being produced."
But Williams said one trend that worries him is placing the onus for AppSec on development teams, which are under pressure to deliver more features, faster than ever, in the age of continuous delivery/continuous integration (CI/CD).
"[There] are those that want to shame and blame developers, which I think will backfire. Whatever happens, it's one of the most critical challenges facing the world. The [World Economic Forum] has cybersecurity at the No. 4 global risk, right after pan-epidemics and right above global armed conflict."
–Jeff Williams
Modernizing tooling for the supply chain security era is key
Even though AppSec has evolved in recent years, the reality is that it's not changing fast enough. Today's software development practices and tool chain remain woefully behind attackers.
For AppSec to get ahead, it must make a giant leap forward to modern practices and tooling to tackle the new era of software supply chain attacks, Knox said.
"We need to convince the right people in companies to budget better for security and to recognize [that] the cost of securing the software supply chain [is] a cost of doing business."
—Joshua Knox
