This post originally appeared on CSO Online.
2016 is upon us and it is time to review what we think will happen in the world of application security in this fast-paced world. Security is always evolving just as attacks, hacks and vulnerabilities shift and as new technologies enter the landscape. Security must adapt in order to protect businesses, consumers and treasured data. Can today’s security practices achieve security assurances, rooted in sound computability theory? We believe so.
Here are six predictions for 2016 that we believe will impact the security landscape and protocols.
1. Nothing will change… except thinking
There will be attacks, hacks and break-ins. Data will get stolen, and SQL injections used to access treasured data will continue to be the leading attack vector against applications. Data exfiltration will continue to occur. The applications that fuel businesses will increasingly become a target for hackers, with legacy apps being the main target. This will make large enterprise CISOs, CIOs and CTOs converge to look into holistic security solutions, wherein the business and the applications that engage customers are at the center of security planning, customers are kept safe, and hackers are left stumped. Security leaders will shift their attention to protecting applications.
2. Budget priorities will shift
Money and budgets will move to protect the applications that hackers often target, such as in the financial, retail, and eCommerce industries. Application security will increase in importance and budgets will start shifting from a legacy fragmented security ecosystem (perimeter-based) to new application-centric security solutions. The retail sector will see a budget shift as the focus moves from brick-and-mortar security to application security due to the new EMV (Europay, MasterCard, and Visa) chip requirements.
3. Focus will move to run-time protection
The focus will shift from identifying to fixing vulnerabilities at runtime. There will be a move from monitoring and assessment to protection. Perimeter protection, penetration testing, and other outside-in methods were all about finding vulnerabilities. Next year, new technologies will enable companies to fix ONLY those vulnerabilities that are actually being exploited, allowing security information and event management tools (SIEMs) to move from pure data collection to real-time threat interpretation, sharing and feeding protection solutions. Fixing only what is truly being exploited in production environments (the new method) versus trying to fix everything (the traditional method) could virtually eliminate vulnerability backlogs.
4. New technology will eliminate the need for signatures
The traditional way of approaching security will give way to newer technologies like LANGSEC. Traditional signatures and patterns result in too many false positives and require tuning and human intervention -- limiting scalability and impacting application performance. New approaches such as LANGSEC help draw a boundary between protocols and API designs that can and cannot be secured, while charting a way to build truly trustworthy protocols and systems. By updating the approach to security with new technologies and protocols, hackers might actually face some tough roadblocks impacting their efforts.
5. Enterprises will be smarter about what to fix
Enterprises will fix only what is necessary. Why fix findings that aren’t being exploited? Vulnerability backlogs -- the never-ending treadmill of remediation --, have created undue stress on CIO, CTOs and CISOs. Already strapped security teams focus on fixing things that never get exploited, wasting significant time and effort. Remediating only what is being exploited at runtime will help eliminate vulnerability backlogs. Unwieldy backlogs will become irrelevant in 2016 because visibility into what is actually being exploited will ensure that developers only have to fix what is truly necessary. Developers stuck in the middle of software development life cycles (SDLCs) and DevOps will rethink security, working closely with security admins and IT professionals to prioritize what really demands precious resources. They can finally turn their attention to growing the business and implementing secure coding practices moving forward.
6. Massive consolidation will start in the fragmented security market ecosystem. The final prediction for 2016 is massive consolidation throughout the security industry landscape. The current fragmented security ecosystem will begin to consolidate as WAFs, NGFW, IDS/IPS, and CDNs expand functionality, but with the same pattern-based mindset. Companies and solutions will integrate, and the impact will affect endpoint security. Users, networks, applications and data will be protected through security located from within the application to work at runtime and in production, providing security where and when it is most needed. 2016 will be a new dawn for security, with shifting paradigms and new technologies. Data -- the treasure of both companies and hackers -- will finally get the level of protection it deserves and CISOs, CIOs and CTOs might actually catch a break in the never-ending quest for security.
Here’s to a more secure 2016.