Future of Application Security

hi everyone pleasure to connect to all of you today my name is founder and ceo of chicago blink so in today's session we are going to talk about the future of application security and what are the key challenges which are placed by the organizations so let's start with uh the agenda so we will be covering up the topics which are related to what is application security why the application security is important the type of application security the common application security flaws and what are the application security tools which has been used by an organization and what are the key challenges which are still in organizations are facing in terms of application security the best approach the application like

us for the applications currently the current and the future one so let's first start with the what is application security so application security is a process of developing adding and testing the security features within the application to minimize the security vulnerabilities so it is just like that we are adding the multiple layers to an application so that we can make it uh proof like we can make it like cloud from all the external attacks and whenever like a hacker will going to try to penetrate those application they need to pass through the multiple security layers so this is how we are improving uh the overall security of an application and this process is known as

an application security so where we are like identifying the early stage of vulnerabilities and then we are reducing and we are eliminating those vulnerabilities with our approaches and with that different kind of like uh the products and the tools that we're going to use so what happens in security is important so uh let's start with uh some couple of sets that we have captured mainly from the flex data micro focus and dividend security which says that 60.5 of the applications vulnerabilities are remotely exploitable 42 percent organizations experience an external attack due to an application security clause 79 of the organizations push the vulnerable code to the production either regularly or occasionally so this is like mainly taken care by other

organizations which are like early stage or which are like in the medium stage because those in those organizations they don't have any security means that maximum of the development deployment work is taken care by only the developers and if they by mistake push the any kind of vulnerabilities which are associated and that is their code if they put it in the production environment automatically it is making them more vulnerable of getting a cyber attack then 42 percent of the vulnerabilities in the applications are indexed in others because even in today's times a lot of enterprises applications and small medium business applications are using the previous tax so they are more prone of getting uh the

sql injection attacks then 83 percent of the applications are still formed to remain vulnerable after the initial scan simply like if we start with the initial kind of a scale because scanning is just not the one process it just sounds like a very basic process which uh the company and

organizations have an attack and fifty percent of the apps on an average like they found vulnerable because they they didn't have adopted uh their stack of approaches so this is a trend like a graph that we have created from 2009 to 2020 and uh which says that uh shows the rapid increase in the vulnerability longer vulnerability and if you can see like from 2019 2020 there is a drastic change that we have got because in today's time the organizations are including a lot of third-party libraries in order to make their applications more robust and to provide the best user experience to their customers and in order to do that they are basically following up uh with a lot of

third-party libraries and which is automatically making them more and more vulnerable of getting a cyber attack so the top security flaws that uh we have captured which has been uh covered by uh reported by the vera code and uh c cw imagery so victory is a framework which is like followed by all the enterprises and it says that in the common clause if we talk about these are the popular common flaws which uh have been found in the application it starts with the information leakage which is coming up like at 64 percent and the cryptographical abnormalities which is like 62 percent then cllf injections the core qualities insufficient input validation cross side scripting attack directory trans transversal then

credential management and if we go for the top 10 like the top 10 uh cve which is being given by the big tree for this year for 2021 which starts with the outer bound right which has the thread score of like 65.93 then cross side scripting which is like 46.84 then out of boundary which is 24.9 then the improper input validation that is 20.47 then os command injection that is 19.55 let's go injection 19.54 then use after free part transposer then the cross side scripting uh probably and unrestricted of your profile in a dangerous type so all of these detail like if you wanted to know what these terms mean so this is like widely available over the cb inventory

websites and you can just go there and you can just search about these terms to get a more detail about it because here we can't like cover all her uh topics at once so i'm just giving an outline of like the toxic applications about these laws which has been followed by uh the

then moving to the next we are talking about the type of application security so the application security is mainly divided up into the five types which starts with the critical infrastructure and security where we are talking about the applications which has been used in the critical infrastructure mainly with the power grid with the electricity uh segments and with uh the nuclear reactors so all of these critical applications they are again like the cyber security is required in that because they are handling those critical infrastructure then moving to the next then we have the mobile application securities which is related to all the mobile applications that have applications that have been used the network securities again the network

security display is a very important role because this is the first contact the first enter entry point for a hacker and if we get anyhow the clean source of the traffic network which is they can definitely enter into their database then the cloud securities are there which uh which has been like introduced by maximum of the applications are getting deployed over the cloud so they need to follow the various kind of approaches to adopt those securities then the iot security is there for all the iot devices so what are the application security challenges uh which the companies are facing in today's time starts with the inherited vulnerabilities like some of the code that they are using and using

it so the vulnerabilities are getting edited from the previous groups okay but from some like uh the third-party libraries which are again making them more and more vulnerable of getting a fabulous text and the second we have the third party and open source vulnerabilities and backboards and software supply chain attacks which have been recently experienced by uh a lot of big organizations may be based out of us like if you talk about the colonial pipeline if we talk about the other hacks which has been taken place in the least seven months so they are all like affected by the software supply chain only which is one of the highest challenge for an organization then the volatility directions are there

because still the organization doesn't have the robust solution in order to protect the vulnerability in the runtime environment and the epa security is that against is a very important role because different organizations have some uh endpoints which are publicly available and if they don't uh like deploy any sort of securities and points then automatically like the hiker can easily access those customer data sets so what are the application security tools so these are the popular tools which is which has been used by an organization security testing and dynamic application security testing and interactive wrapping specifically these three approaches are mainly followed by all the kind testers our security and others and they start with the

application testing but while following these three approaches so then we have like the software composition analysis this is something a bit new because uh here we are analyzing the all the components of that soft of that software and we are lifting up and finding out the vulnerabilities which are associated to a very core level of an application then the new approach like a lot of tools have been offered by an organizers which are basically providing up the application testing as a service so the application security trends uh so basically the rays that we have seen post over like uh in the new normal the organizations are now moving towards the cloud like they are not at

all going forward with the on-premises servers which has been followed by the previous approaches uh and the post pandemic uh time now the people like uh they have adopted a hybrid model or working from home so definitely they need to move their applications to the cloud so the rapid movement of an application and the rapid cloud adoption of an uh of an organization automatically like uh it's at the scale which is which we have seen in the past couple of months then the runtime application self protection this is also again being followed by the terms of trains in the application security then we have the runtime uh application self protection rasp this is one of the

most popular approach which has been followed by the recency so cios and the security analyst then the back end as a services where we are like companies are following a very robust approach in today's time where they are giving out they are created a back end as a service so they are deploying the microservices there and they are utilizing uh those services in the secured environment which is much more secure practice comparatively to the traditional approach of deploying a monolithic architecture then we have the monitoring tools which are available mainly for the public and private clouds every cloud companies have those monitoring tools available if it goes from aws from sap from microsoft affair everyone have the monitoring

tools available and even like a lot of other third party companies are also offering which we can directly connect with those cloud providers and we can monitor all the traffic then bound and outbound traffic of an application then the web application firewalls they are basically the previous approach which is mainly like uh followed by an organization they just deploy the firewalls and then the function as a service is again it's a serverless model which has been followed by an organizers and application of operator protection this is pretty much new uh because in today's time even what the hackers are doing they are basically like uh using uh the memory that they are creating like deploying the memory based

kind of attacks which are very difficult to figure out or to detect by the traditional application security scanners and this thing we can like easily uh detect if yeah if an organization is using any sort of tool which is based out of like workload protection so then uh in the last we will be talking about all the approaches the current approaches and the future approaches which is being taken by organizations for the application security so the current approach if we talk about is like they are adopting the advanced uh application security frameworks they are creating uh the code the secure code they are monitoring the complete code and they are thinking like whether it is

like not coming up from any sort of from the third party uh popular forums then implementing the security as a design this is like one of the most recommended approach which uh even i do recommend for mind and which the organization need to follow whenever they are designing or developing any any kind of a product they need to implement the security as a design so that at every stage it should uh get into those security layers and which automatically will make the hacker works pretty much harder then integrating a security into the development the software development stages where we are like deploying testing the cipd pipeline that we are talking about so we are integrating the

security in that part also then using the latest lab technology so it is basically like uh organizations need to adopt all the latest technologies which for developing up their application whether it is mobile iot or auburn applications try avoiding the previous uh techniques or the previous technologies which are not getting any frequent updates because those frameworks and approaches are more getting more vulnerable of getting a sample attack then regularly they need to update their softwares with the recent patches and the recent uh updates that have been ruled out by an they contain a organization important security critical threat critical like uh updates then the future approaches uh so arrange and prioritize the application this is

this is going to come up in the future approach where we are prioritizing that which application and is more important in an organization which is handling the more critical data then data should be encrypted we need to verify all the third party libraries that has been used in an application then we need to use some more advanced artificial intelligence-based tools in order to find the zero-day vulnerabilities because this kind of vulnerabilities are like maximum of organizations are getting affected of these vulnerabilities and it's like give them a very less time to just revert or to take any kind of action against it and report to that only like the hackers do their work and they just

take their complete that data or whether they just start with the ransomware kind of attack or after doing their encryptions and securing all the public dps that have been used in that applications and using the automated remediations approach which are automatically making an applications uh more uh better in terms of samurai than the application security testing and orchestration this is like one of the uh newest approach which the organizations they seems like they will be definitely adopting it in the coming features so these are the some couple of ways uh the previous ways and the new ways which organizations are following and either like definitely you can uh somehow you can like make your applications

less prone of getting a cyberattack so that's all from my side and if you have any questions you can connect us connect me me over the linkedin or the twitter uh my username is appaintredu and i will be happy to take any further questions thank you and thank you american digital week