Key lessons from Forrester’s State of Application Security in 2024

Application security is often sacrificed for speed and to meet the increasingly tight time-to-market windows for new apps needed to drive new revenue growth.

Increasing the urgency to release apps early is a compensation plan for CIOs, DevOps leaders and their teams offering financial incentives to deliver apps ahead of schedule. With bonuses that come with releasing a new app quickly, security is pushed to the final stages of a project and pushed out quickly.

However, the greater the drive for speed, the more cracks and weaknesses in application security emerge. Forrester was recently published 2024 report on the state of application security reflects the growing threat of these growing cracks or holes in application security, starting with software supply chains and evolving through DevOps.

Gen AI chatbots meet the need for more DevOps speed

Forrester sees generative AI chatbots and tools increasing developer productivity 20 to 50%. “By 2024, many development teams will move from experimentation to embedding TuringBots into their software development lifecycle,” predicts Chris Gardner, VP, research director at Forrester. Gardner also predicted that this year “testers will also see productivity gains of 15 to 20%, and all product team members will achieve more than 10% efficiency thanks to their supporting TuringBots in planning and delivery. Gen AI will make low-code and high-coding everywhere much more productive, and this will grow exponentially in the future.”

BairesDevs A recent survey of more than 500 software engineers found that 72% of them are now using gen AI as part of the software development process, and almost half, or 48%, use it every day. Eighty-one percent use generation AI-based tools to write code they previously wrote manually. Nearly one in four developers, 23%, using gen AI see a productivity increase of 50 percent or more. ChatGPT from OpenAI, Copilot from GitHub, Microsoft Copilot and Google Gemini are the four most popular chatbots among the software engineers interviewed.

The pressure is on every software-based company to find new ways to increase the accuracy, efficiency, and speed of DevOps. Boston Consulting Group (BCG) says the more software-intensive a company is, the faster and more effective it needs to be at delivering new features and apps. Bringing apps to market faster than the competition has proven to be a market advantage and the key to long-term survival. With high-performing DevOps teams deploying code 208 times more often on average than low-performing teams, the increasing adoption of AI-based DevOps tools is widening the performance gap.

Speed ​​exposes growing gaps in governance, risk and security

The productivity and speed gains delivered by the generation of AI-based chatbots and apps expose growing gaps in governance, risk and security. CISOs, DevOps leaders, IT and security leaders are finding it challenging to adopt a more agile/DevOps development and delivery model that will help close the gaps in every area.

Forrester notes in their report“When we asked global IT and digital professionals about their biggest challenges in moving to such a model in 2023, 26% said security, risk and governance. Unfortunately, an iterative and incremental approach such as agile/DevOps leaves little time for long-term software validation.”

Five insights from Forrester’s 2024 AppSec report

One reason application security gaps are widening is that DevOps teams are rushing to meet deadlines without security at the heart of the SDLC process and integrated into CI/CD frameworks. That challenge is exacerbated as the generation of AI chatbots and tools proliferate, forcing the need for new governance, risk, and security frameworks for agile/DevOps to deliver safe, secure, and trusted code and apps.

Forrester’s five key takeaways address this challenge and are as follows:

Application security budgets are increasing despite economic headwinds: Despite persistent economic headwinds and turbulence, cybersecurity spending continues to show resilience and strength. Forrester found that 64% of security decision makers reported an increase in their application security budget, while 32% reported an increase of 5% or more; only 8% reported a decline.

Fifty percent of security leaders whose organizations have not been affected by a breach predict their budgets will increase. The number of organizations receiving cybersecurity funding increases to 77% for those that reported six or more breaches in the past year. Forrester writes that security decision makers who reported six or more breaches reported that their total breach costs averaged approximately $5.3 million. These costs do not include brand damage or opportunity costs, underscoring the importance of preventative and protective application security measures.

Adhere to Secure-by-Design principles. A series of new standards and regulations have been adopted and are underway that will hold software vendors and manufacturers accountable for the quality, reliability, and security of the products they sell. Forrester notes that the National Cybersecurity Strategy is an indication of the future of legislation aimed at shifting liability for poor cybersecurity product quality onto customers and software makers.

Cybersecurity and Infrastructure Agency (CISA) has joined forces with 17 other U.S. and international organizations to develop the Safe through design principles who recommend that software manufacturers only provide secure-by-design and -default products. At last count, 183 companies have signed the pledge, led by Ivanti one of the first to sign. Jeff Abbott, CEO of Ivanti, writes: “As the threat landscape rapidly evolves and tactics become more aggressive and sophisticated, the need to put security first has never been greater.” Abbott continued: “By signing the Secure by Design pledge, we are committing to a set of principles, standards and actions that will help us further improve the security of our products and better protect our customers. This includes implementing multi-factor authentication, reducing the use of default passwords, mitigating entire classes of vulnerabilities, increasing security patch adoption, establishing vulnerability disclosure policies, and improving the ability from our customers to collect evidence of cybersecurity breaches.”

More than 40 cybersecurity companies have signed the pledge, including Amazon Web Services (AWS), BlackBerry, Cisco, Cloudflare, CrowdStrike, Deep Instinct, Dragos, ESET, Fortinet, Google, HackerOne, IBM, Microsoft, Netwrix, Okta, Palo Alto Networks, RSA, SentinelOne, Sophos, Trellix, Trend Micro, Trustwave, Veracode, Zscaler and others. These companies are recognized leaders in cybersecurity, and their commitment to Secure-by-Design principles represents a collective effort to improve digital security and reduce vulnerabilities, starting with software development.

Web app exploits cause IT and security to prioritize API security. Forrester finds that while 14% of all security decision makers say they plan to implement API security, this number rises to 30% for organizations that have experienced an external attack that started as a web application exploit. API exploits often occur where attackers use techniques to compromise APIs and exfiltrate data.

Compounding the risk is that there are so many APIs that many DevOps teams lose track of them, leaving many open and becoming potential attack vectors in the future. Forty-one percent of organizations manage as many APIs as applications.

What is needed is a more collaborative approach to bringing DevOps, IT and security together to strengthen API security as part of the CI/CD process and the broader SDLC. Clearly, during the early stages of any new product definition, security requires a thorough understanding of the API strategy for the product or project.

The goal should be for DevOps, IT, and security to work together on controls and broader policies to reduce and eliminate the risk of exposing fraudulent or unmanaged APIs to the outside world.

Integrating security into the development lifecycle (DevSecOps): DevSecOps stands for development, security and operations. It is an approach to combining automation and platform design, integrating security as a shared responsibility throughout the IT and CI/CD lifecycle. The goal is to increase the speed of application cycles or releases while ensuring that every stage of the development lifecycle is secure. As more organizations adopt DevSecOps, they are looking for ways to ensure cloud-native application security, protect mission-critical workloads, and streamline operations.

Define and continue to improve software supply chain security: A staggering one 91% of companies have been victims of supply chain software incidents in just one year, underscoring the need for better safeguards for continuous integration/continuous deployment (CI/CD) pipelines. Forrester advises its clients to reduce risk in the software supply chain by implementing practices including infrastructure-as-code (IaC) security and secret scanning solutions. These measures help identify and mitigate risks early in the development process, preventing downstream attacks that could have widespread impact.

Security must be at the core of SDLC in order to work

Organizations must take a forward-looking approach and choose to implement security at every stage of the systems development lifecycle (SDLC), which is a key point of the Forrester report. “To successfully secure applications and their data, collaboration between security, development and operations is essential,” the report said.

GenAI chatbots and tools will continue to accelerate the pace at which DevOps teams produce code. To get governance, risk, and security right, CIOs, CISOs, and their teams must define an approach to integrate security into the core of how programs are produced. As encryption accelerates, so does the need for better approaches to managing systemic risk, governance and security challenges