最后更新于2023年3月15日(星期三)19:33:03 GMT

It’s always a good thing to take a step back every once in a while to take the lay of the l和. 像你这样的, we are always working at a breakneck pace to help secure the web applications being built today 和 ready ourselves to secure the innovations of the future. 当弗雷斯特提出 应用安全现状,2022 几周前的报告, we thought it was a great time to share where we think AppSec is headed 和 several places where we agree with Forrester’s take on the state of play.

以下是其中的一些亮点.

现代应用程序需要端到端的SDLC覆盖

当我们想到 软件开发生命周期(SDLC),总有一个关键的焦点 “转左.” This makes sense: We want to find security vulnerabilities earlier to save time, 钱, 以及生产中的风险暴露. 然而, if there’s one thing we’ve learned in the last 12 months with recent emergent threats, it’s that no matter how much you try to secure your applications pre-production, you still need to have runtime protections in place for your business-critical applications. The Forrester report notes that the idea of “shift everywhere” seems to be gaining traction, which is inclusive of shifting both left 和 right. 根据Forrester的报告, 58% of global senior security decision-makers plan to increase their application security budget this year. We can expect the spend on tooling across the SDLC to be prioritized.

An example of this – highlighted by recent vulnerabilities such as Log4ShellSpring4Shell – is the adoption of software composition analysis (SCA) in-production. While finding 和 fixing third-party packages with vulnerabilities in pre-production environments is absolutely critical, customers are also going to require production coverage for open-source libraries. Rapid7 tools have helped our customers detect vulnerable third-party packages in their runtime environments. You can check out more how we helped our customers do this at 这个博客.

As infrastructure continues to become code 和 modern development technologies such as containers are adopted, the risk associated with these technologies grows as well. This modern approach to application development means investment in modern security practices like container 和 IaC scanning are key to a best-in-class AppSec program.

api在增长,其风险也在增加

APIs are the way in which modern applications communicate. Nearly every modern application utilizes one or multiple APIs – or even is an API. API usage continues to rise across the world – 和 attackers have started to take notice. Malicious API traffic almost doubled from the timeframe of Dec 2020 to January 2021, Forrester报告.

APIs are now clearly a part of organizations’ growing attack surface, 和 their importance will continue to grow over the next few years. That means they need to be a critical component of any security program. 有许多方法可以保护api, including proactively scanning 和 monitoring them for any malicious activity.

开发商的影响力越来越大

Between the threats we’ve experienced from vulnerabilities in open-source software components 和 the fact that open source accounts for 75% of audited code bases, as Forrester’s latest 状态 of App 保护 Report points out, we see the growing need for including developers in security decision-making. Development teams are critical stakeholders – 和 often, they need just as much input when it comes to what security tools 和 practices to implement.

As modern applications require modern development technologies, development teams are looking to partner with security teams on ways to implement compensating controls, 不放慢发展的速度. We can continue to expect an increase in the influence that development teams will have on security programs.

These are just a few highlights about the current state of application security 和 the trends that will shape it this year, 明年, 在未来的岁月里. 一如既往地, we will keep our finger on the pulse of application security 和 help to drive the practice forward to help you keep your organization safe.

更多阅读:

不要错过任何一个博客

Get the latest stories, expertise, 和 news about security today.