One year ago this Thursday, NIST released a historic update of its security and privacy controls, NIST SP800-53 Revision 5. This update added a new focus on application security by requiring the use of IAST and RASP technology. How have these new guidelines affected application security over the last year?
<p>Thursday, September 23 is the one year anniversary of NIST SP800-53 Revision 5 , recognized by NIST as an historic update to its security and privacy controls. It also set a new standard for application security by adding RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing) as requirements to the NIST security framework.</p>
<p>One year later, what’s different? Here are three trends we see with our customers:</p>
<p>1. Web-based applications are still under attack, but organizations are beginning to shift left, integrating security earlier into the development cycle. Testing technologies such as SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) are being used more frequently during application development to help identify vulnerabilities.</p>
<p>2. SAST and DAST tools often lead to an overwhelming number of false positives. Working through a huge list of vulnerabilities to determine which ones are real and which ones are false can be daunting, and incredibly time consuming. It creates trust issues between developers, who are tasked with bringing their code to production as quickly as possible, and security teams, motivated to identify software vulnerabilities in order to protect against data breaches and attacks.</p>
<p>3. Implementation of IAST tools is increasing. Nine out of 10 customers K2 works with are interested in adding IAST to their pre-release testing. By residing on the server, IAST watches the application code as it’s executing. It can provide the payload used to attack the vulnerability, along with proof of exploitability. In fact, IAST can pinpoint the specific location of the vulnerability in the code, down to the filename and line of code. This detailed telemetry allows developers to quickly locate and correct the issue. IAST provides all the information needed to identify how serious or exploitable vulnerabilities actually are, and the recommended prioritization to address them.</p>
<p>According to Forrester’s 2021 “The State of Application Security”, 28% of security decision makers indicated that improving application security was a top tactical IT security priority, and 38% planned to implement IAST testing in their software development lifecycle.</p>
<p>Development and security teams are joining forces to bridge the security gap. More organizations see the value of early remediation and prerelease testing tools to bring software to production that is as secure as possible. The new NIST framework offers a template for organizations to adopt the same level of security used by federal agencies. What are you waiting for?</p>