Application development has transformed and is largely automated, but security remains a highly manual effort. Developers and DevOps practitioners outnumber security professionals by as much as 100 to 1. Time-to-market pressure has caused friction between application and security teams, creating the perception that security is a bottleneck. This is a serious dilemma that often results in poor testing, process shortcuts, and ineffective oversight.

At the same time, a proliferation of architectures, clouds, and third-party integrations has dramatically increased the threat surface for many organizations. Application vulnerabilities like cross-site scripting (XSS) and injection have been prevalent since the dawn of application security more than 20 years ago, yet attackers continue to discover and exploit them at an alarming rate. Attackers quickly weaponize vulnerabilities using automation frameworks to scan the Internet, discovering and exploiting weaknesses for monetary gain. Open source software in particular is plagued with vulnerabilities—introducing unknown and significant risk.

F5 Labs reports that a critical vulnerability with the potential for remote code execution, one of the most serious attacks possible, is released every 9 hours.

To effectively manage the growing complexity of securing applications across architectures, clouds, and developer frameworks, organizations need to shift their strategy and shift their perspective.

The Open Web Application Security Project (OWASP) was founded in 2001 to persuade business executives and corporate boards of the need for effective vulnerability management. A disciplined approach, including security vendors and community feedback, has resulted in the OWASP Top 10—a list of the most prevalent and critical application vulnerabilities.

XSS and Injection have been in every OWASP Top 10 list since its inception, but a new era of application security is marked by the growing threat to software supply chains, the pervasiveness of open source software, and the operational complexity of managing security and access for both legacy and modern apps. Software updates, critical data, and CI/CD pipeline integrity can all be compromised. Although open-source software significantly speeds development, it also changes risk management because controls that are common in custom software developed in house, such as static code analysis (SCA), are not always possible or practical with third-party software.

In 2021, attackers started to exploit a critical vulnerability in a widely-deployed open source software library used by thousands of websites and applications almost immediately after details of the vulnerability were published. Left unaddressed, this vulnerability can lead to remote code execution, allowing attackers to take over websites and online applications, steal money, breach data, and compromise customer accounts.

F5 Labs details analysis of multiple sources to show that web app exploits are among the most common techniques observed in security incidents and have an average time-to-discovery of 254 days. Given that 57% of all reported financial losses for the largest incidents of the past 5 years are attributed to state-affiliated threat actors, organizations need a robust stop gap to shield their applications and mitigate potentially devastating vulnerabilities before bad actors weaponize exploits and compromise the business.

The rapid evolution of technology is changing the way that organizations do business— and the steps they must take to keep their businesses safe and secure. Today, more than three-quarters of organizations are modernizing their applications—with increasing emphasis on accelerating speed to market. While greenfield projects can capitalize on cloud efficiencies, most enterprise portfolios include both legacy and modern apps that span a variety of architectures in data centers, clouds, and within microservices.

The explosion of applications and speed to market is also driving fundamental changes to risk management. Network engineers may not be deploying infrastructure. DevOps teams can easily create virtual and ephemeral infrastructure using emerging architectures like containers in a turnkey cloud solution—automating everything from code build to service deployment. These changes in roles, responsibilities, and ways of working in the application development cycle can often leave security behind.

At the same time, attackers are getting more efficient in their methods—leveraging readily available tools and frameworks to scale their attacks—essentially employing the same methods security professionals use to quantify and assess risk.

Additionally, organizations are increasingly adopting multiple cloud providers for business continuity. While this improves resiliency and reduces risk of downtime, there is an unintended side effect; namely that cloud providers lack universal security. This often leaves those in charge of security confused about what is secured or not, and the nuances can result in a vulnerability—commonly a security misconfiguration (for example, see the AWS shared responsibility model).

Risk is shifting due to the way applications are built and deployed. Therefore, security needs to shift to stay ahead of the curve of application vulnerabilities. Visibility and consistency are as important as ever, but organizations need a paradigm shift in the way application security is implemented. Instead of constructing a security policy after an application is launched, vetting out false positives to stabilize and tune the policy, and then monitoring for newly released vulnerabilities that may put the app at risk, application security needs to be intrinsically integrated into the application development lifecycle, regardless of architecture, cloud, or framework.

The most effective application security is automated, integrated, and adaptive. Automation can lower operational expenditures (OpEx) and reduce strain on critical security resources during application release, deployment, and maintenance. Automated policy deployment can improve effectiveness by implementing and stabilizing security controls earlier in the software development lifecycle (SDLC), leading to higher efficacy with less manual intervention, freeing InfoSec from a barrage of alerts and potential false positives to focus on more strategic risk management efforts. Native integration into application development frameworks and continuous integration/ continuous delivery (CI/CD) pipelines reduces friction between development and security teams, leading to better business agility and organizational alignment.

Integration into developer tools, through API-driven deployment and maintenance, simplifies policy management and change control across multiple architectures and clouds by abstracting infrastructure complexity, reducing operational overhead, and preventing misconfiguration.

Additionally, security mitigations should be accurate and resilient to avoid frustrating customers or allowing attackers to escalate their campaigns to evade detection. Consumers demand personalized, curated experiences and sophisticated attackers are not easily deterred.

Effective security that does not impact usability can serve as a key differentiator for earning and retaining customers in a highly competitive digital economy. 

Today, apps are the business, which makes threats to apps and ineffective security the biggest risks to business potential. Modern, decentralized application architectures have expanded the threat surface, automation has increased unintended risk and attacker effectiveness, and the fallout from cybercrime continues to grow, yet organizations that consistently deliver secure digital experiences will achieve customer and revenue growth.

The solution is clear. Rather than delaying the release of new code that may change the world, shift security left to automate protections throughout the application lifecycle and shift the perspective of security to be a key business differentiator.

By proactively mitigating vulnerabilities, reducing complexity, and protecting the business with effective and easy-to-operate security, you can accelerate digital transformation and optimize the customer experience—reducing risk and creating digital competitive advantage.