2023 Emerging Themes in AppSec

Fancy Galah drinking tea

As 2022 closes, I reflect on what I’ve been able to achieve this year.

Growing Galah Cyber to twelve staff members while maintaining my values of customer-lead consulting, plain English advice, and AppSec as our core service. It’s been a blast and I’m excited for the future.

I travelled regularly to speak at conferences, establish partnerships, drive sales and develop the business. But I’ve now become a father to a beautiful girl we named Monica. In preparation for her birth, I’ve been reducing travel required for my role because I want to be a good husband for my wife and a better dad for my daughters. But being at home doesn’t mean I cannot contribute to the AppSec ecosystem. While I won’t be travelling as often, I can now focus on a dormant hobby of mine, that being writing.

So please enjoy my first post of 2023!

At Galah Cyber, we work with a number of household names on helping them solve AppSec challenges. These organisations range from tech companies scaling up their business to large financial institutions, and a wide variety of companies in between. I’m well positioned to chat about the existing state of the ecosystem. But what I think is more interesting than complaining that SAST tools have too many false positives, is to talk about where I see AppSec trending for the future. So here we go into the top 5 emerging themes that I think will shape the next 2-3 years for AppSec.

Developer VDI Adoption

I predict software engineers will adopt virtualised development environments helping improve host security and engineering productivity in the process.

Local development environments are a security and productivity nightmare. Onboarding processes can take days and are a source of frustration and friction with new starters. For security, engineering workstations are a challenge to secure. Engineers expect elevated permissions, the ability to install their own tools and packages, and will otherwise complain that security controls are blocking them from being productive.

Workstations co-mingle developer artifacts with corporate IT systems. Each is a vector as well as a target. Patching is difficult to automate as each workstation has unique services and applications. Sensitive development and corporate data are stored and often forgotten about.

We have seen a number of breaches where a developer workstation had been the initial access vector in 2022, and I believe that it’s only going to get worse as adversaries target these critical users through package repositories, spear-phishing, and more.

I believe that VDI’s are the solution. While VDI’s have been around for a long time, adoption has been flaky due to a painful user experience, laggy interface, and restrictions creating friction for engineers. The traditional virtual machine and RDP approach was a non-starter.

GitHub CodeSpaces is what made me revisit the concept. The UX and lag issues were solved by allowing engineers to operate in their core IDE or browser locally and have those changes reflected silently into the VDI. Codespaces are easily configurable, quick to instantiate, and reproducible across devices. Developer environments are now herds, not pets.

While this is great for workforce productivity, I think there are real security benefits from adopting this model. Engineering artefacts which would previously be leaked or used for establishing persistence or alternative access aren’t going to be as accessible as before. Environment variables, access tokens, certificates, and old repositories and artefacts are now in the VDI configuration, and can be provisioned and cycled on demand.

Another benefit is that you can now treat engineering devices as part of the traditional corporate fleet. While a few engineering applications like IDE’s and terminals will be required, you can restrict administrative privileges and proceed with rolling out app control without impeding engineering velocity. Patching is now manageable too, as is maintaining a software asset inventory.

I predict more organisations will adopt VDI’s in lieu of dedicated configurable development workstations, especially as remote work trends upward and corporate IT recognise the productivity and security improvements.

AI GalahAI Proliferation

I predict AI and AGI will increasingly be used to optimise, automate, and entirely replace certain AppSec activities.

The last 6 months have seen innovative jumps in practical AI applications. While DALL-E, MidJourney, and Stable Diffusion have made the most visible impact by generating visual imagery based on prompts, it’s CoPilot and ChatGPT that have really honed in on the potential in my view. While I don’t see AI replacing knowledge work entirely, I do see redundancy and using AGI to improve the velocity at which it is undertaken. Writers who can prompt for ideas, editing, chapter themes, or narrative devices. Programmers troubleshooting syntax errors, artists looking for inspiration with chords, and so on are just some practical applications I can think of.

In relation to AppSec though, I think Snyk and GitHub have only just started on the AI journey by suggesting fixes to security vulnerabilities. I fully expect that we will see practical applications ranging from self-patching software, automated cloud posture remediation, or simply seeing AI integrations throughout all aspects of the SDLC.

I’m not afraid that AI will automate our jobs, but I have confidence that it will transform how we operate in the AppSec field.

Tool Consolidation

I predict the next few years will be tough for AppSec product companies, many of which will be acquired, merge, or pivot into other markets.

The last decade has been a crazy bull market. Many companies had great success with high quality, single-purpose products. With easy access to capital from both investors and open-minded consumers, it was a great market for innovative firms. We are now in an inflation-driven bear market. Capital raises have stricter terms, consumers are reluctant to spend, but we still have a proliferation of AppSec products competing for the same tiny TAM.

Organisations are tightening their belts. Single-purpose tooling will be phased out for cost-effective, wide-scoped, or developer-adjacent options. I think we will see a lot of AppSec product companies pivot and start reducing their operating costs with layoffs and R&D cuts. In time they’ll need to consolidate, find new sources of revenue, or look for an exit.

I believe that developer ecosystem providers will be open to introducing security into their offerings, while established software security firms will be open to expanding their portfolio. It’ll be a tough time for the AppSec startup ecosystem, and I expect innovation to slow because of that.

A Galah grave robberGraverobbing Attacks

I predict graverobbing attacks to experience an enormous uptick as organisations cut costs, restructure, or go out of business.

Graverobbing is a catch-all term I have coined to cover when a web resource ‘dies’ and the hyperlink to it is now open for abuse. I’ve seen this previously with subdomain takeovers, when no host is serving content for a DNS record, and recently with Truffle Security speaking about vandalising old email content.

The web is ephemeral and external content should not be relied on to be valid forever. Yet we continue to build software with the assumption that everything will remain as it is in a few years time.

While graverobbing attacks have mostly been limited to squatting domains or releasing cloud resources, I expect people to creatively think about this class and how it can be abused.

While we have technical controls in the form of hashing, or self-hosting content, we cannot always use these (for example, email, or dynamic content). I think that package managers, hosting providers, git repositories, pastebin text, email addresses, and more will all be potential vectors, and that’s just the beginning of my view. But why predict an uptick? Because companies are cost-cutting or going out of business, which will result in many links pointing to dead content that can now be used for graverobbing.

Product Security Convergence

I predict the next few years will see distinct security disciplines like NetSec, CloudSec, DevSecOps, and AppSec converge into Product Security.

The boundaries about what constitutes an application have been blurring for some time now. Software engineers are now accountable to deliver all aspects of building and running an application. Application code is only one of those concerns, with infrastructure, testing, and automation being other areas of responsibility for software engineers. Containerisation, infrastructure-as-code, and CI scripting are the result, and security engineering increasingly moving to securing these instead of SOE’s, firewalls, and appliances.

Based on this journey, I think organisations will expect their security engineers to increasingly be like software engineers, and to adapt to handle a wider variety of issues. Domain experts will still be valuable, but demand for the T-skilled ‘Product Security Engineers’ will skyrocket as technology modernisation programs roll out.

Other Trends

While I think the above are the most important ones to think through, a few noble mentions include:

  • InnerSourcing becoming more common as institutions look for ways to deal w/ software asset inventories and improve internal eng velocity.
  • Nix seeing widespread adoption to address SBOM and reproducibility issues plaguing compliance w/ current legislation for software provenance
  • Ecosystem Security becomes more important as companies consolidate into a single ecosystem for their development.

Thanks for reading!

If you’ve got AppSec troubles, feel free to reach out to me. At Galah Cyber we have experience helping clients across a range of industries with rolling out programs, teaching developers, tuning tools, and reviewing products for vulnerabilities.