Enterprise Strategy Group (ESG) Survey
CSO Online ran an article last August covering some important application security statistics from a study run by the Enterprise Security Group (ESG). The article titled The State of Application Security: What the Statistics Tell Us, covered an interesting finding from the report, notably that 79% of organizations push vulnerable code to production either occasionally or regularly, yet at the same time these same organizations rated their own application security posture as being pretty good, with an overall mean rating of 7.92 out of 10. The finding is certainly presents an interesting contradiction, with a partial explanation of the paradox is found in another question, as some respondents said they released vulnerable code to production to either meet a critical deadline (54%), or they pointed to the vulnerabilities being low risk (49%), and finally some said that the issues were discovered too late in the release cycle (45%).
NIST Study About Cost of AppSec Defects
These findings highlight why integrating security as early as possible is crucial. Especially to avoid or at least reduce the instances where vulnerable code is released to production. Finding or preventing vulnerabilities earlier in the development cycle has another benefit, and that’s the reduction of cost in remediating vulnerabilities. NIST (National Institute of Standards and Technologies) did a study where they found there’s a potential savings of up to 30x per bug and up to 60x for a security defect, when the problem is fixed earlier in the development process.
The New NIST SP800-53 Security and Privacy Framework
Eliminating vulnerabilities during the development life cycle starts with thinking about and incorporating security earlier in the development life cycle, a movement that’s gaining traction and is known as “shift left”. In addition to shifting left, improving testing results during the development phase is another important target to reducing vulnerabilities in production. The release of a new NIST SP800-53 Revision 5 Security and Privacy Framework includes a new requirement for an additional testing methodology to improve testing results during pre-production. The latest revision of NIST SP800-53 includes the requirement of IAST (Interactive Application Security Testing). It’s a first in recognizing this advancement in application security by now requiring IAST as part of the security framework
IAST is one of the new recommendations for application security coming from the NIST updated framework, and if you haven’t heard of IAST, there’s a good definition available from Optiv:
“IAST is an emerging application security testing approach which combines elements of both of its more established siblings in SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing). IAST instruments the application binary which can enable both DAST-like confirmation of exploit success and SAST-like coverage of the application code. In some cases, IAST allows security testing as part of general application testing process which provides significant benefits to DevOps approaches. IAST holds the potential to drive tests with fewer false positives/negatives and higher speed than SAST and DAST.”
K2 Cyber Security Can Provide IAST Results
Here at K2 Cyber Security, we’d like to help out with your IAST requirements (and your application security during runtime too). K2 offers an ideal runtime protection security solution that detects true zero-day attacks, while at the same time generates the least false positives and alerts. Rather than rely on technologies like signatures, heuristics, fuzzy logic, machine learning or AI, we use a deterministic approach to detect true zero-day attacks, without being limited to detecting attacks based on prior attack knowledge. Deterministic security uses application execution validation, and verifies the API calls are functioning the way the code intended. There is no use of any prior knowledge about an attack or the underlying vulnerability, which gives our approach the true ability to detect new zero-day attacks. Our technology has 8 patents granted/pending, and has no false alerts.
The Need for Deterministic Security
K2’s technology can also be used with DAST testing tools to provide IAST results during penetration and vulnerability testing. We’ve also recently published a video, The Need for Deterministic Security. The video explains why the technologies used in today’s security tools, including web application firewalls (WAFs) fail to prevent zero day attacks and how deterministic security fills the need for detecting zero day attacks. The video covers why technologies like artificial intelligence, machine learning, heuristics, fuzzy logic, pattern and signature matching fail to detect true zero day attacks, giving very specific examples of attacks where these technologies work, and where they fail to detect an attack.
The video also explains why deterministic security works against true zero day attacks and how K2 uses deterministic security. Watch the video now.
Change how you protect your applications, include RASP and check out K2’s application workload security.