The Biggest Lessons We Learned About Application Security in 2016

Angela Bartels on November 22, 2016


This past year, cyber-attacks have taken center stage in the media on more than one occasion. From the DDoS attacks that took down more than a dozen major websites to the cyber-attack that breached the email accounts of more than 100 Democrat party officials, 2017 is shaping up to be an important year for cyber-security.

To find out what security issues should be a top priority for businesses next year, we collected insights from top application development and cyber-security experts. Here’s what they had to say about the biggest learnings for application security in 2016:

1. IoT-Based DDoS Attacks are a Top Security Priority

Security concerns over IoT devices made headlines this last October when attackers exploited connected devices to carry out a distributed denial of service attacks (DDoS) on popular domain name service provider (DNS), Dyn. Internet behemoths, such as Twitter, Spotify, Reddit experienced record long downtimes due to the extent of the attacks. According to Gartner, by 2020 25% of cyber-attacks on enterprise organizations will involve IoT. Despite this, IoT will only account for 10% of IT’s security budget.

“2016 was also the year we saw DDoS attacks crossing the barriers into IoT networks,” says Tiago Luchini, technology partner at Work & Co, a digital product agency that works with clients such as Apple, Facebook, Google, and Twitter. “Targeted, massive, IoT-driven, Application Layer DDoS will become a popular opportunity area for attackers in the coming years.”

To combat this, Gartner recommends that companies assign business ownership  specifically to IoT security and increase IoT-focused budget.

2. Patching Vulnerabilities Isn’t Enough  

Security professionals are so focused on outside threats that it can be easy to forget about the inside ones, like software vulnerabilities. According to Gartner’s Strategic Planning Assumptions (SPAs) for security, through 2020, 99% of vulnerabilities exploited will be known by security and IT professionals for at least one year. “Application vulnerabilities are rarely patched, and in many cases are virtually impossible to patch,” says Brian Maccaba, CEO of Waratek, an application security company.

Attackers are increasingly focusing on vulnerabilities in data center applications that can yield massive amounts of confidential and intellectual property data. This includes password databases, healthcare records, product designs and others. “In the next year, efforts to isolate or place vulnerable applications in secure enclaves will emerge more broadly in 2017,” says Art Gilliland, CEO of Skyport Systems, a cyber-security company.

3. Increased Need for Federated Application Marketplaces

As cyber-attackers increasingly exploit software vulnerabilities, companies need to invest in advanced security methods, such as controlled application marketplaces, to protect their data. Companies put themselves at risk when they allow employees to install applications that haven’t been properly vetted by IT. “One wrong click that could easily infect those systems with malware, ransomware, data loss, data poisoning or financial fraud,” says Joseph Carson, Head of Global Strategic Alliances at Thycotic, a provider of privileged account management (PAM) solutions.

Carson advises companies to use application controls that have whitelisting capabilities that can protect users if they click on an infected application by checking the app’s reputation before allowing it to be downloaded. In 2017, he predicts that we’ll see companies invest more in federated marketplaces that give employees access to a variety of trusted applications to choose from.

4. Application Authentication Will Evolve Past the Password

Along with DDoS attacks and software vulnerabilities, compromised user credentials also continue to present a notable risk to businesses. Because of this, Gartner predicts that by 2019, the use of passwords and tokens will drop 55%, due to the introduction of recognition technologies. Instead, companies should look to products and vendors that use biometric and analytic capabilities to make the login process both secure and user-friendly.

According to Sundhar Annamalai, Executive Director of Integrated Solutions at AT&T, “In 2017, we can expect that application security will be designed with a mobile lifestyle and delivery method in mind.” For example, Annamalai predicts that application authentication will evolve to include location context, network recognition, biometrics, or other security measures. This is especially important as companies increasingly store data in the cloud.

While some advancements in technology, like IoT, introduce new risks, the rise of biometrics, analytics and machine learning promise to enhance and evolve security technology. As cyber-security increasingly becomes a top issue for businesses and consumers alike, we can expect even more security innovations to come in the next year.

How does Assembla handle security?

At Assembla, our users store various projects and code repositories that contain elements of their business. We take security and data integrity seriously.  We provide a superior level of protection, monitoring and redundancy to ensure our users focus on their work instead of worrying about their data.

In the app itself, authentication for user services is provided by username and password submitted over TLS.  Users can also set an IP restriction option, via the Admin-Security page in each project's space, so that only users at specified IP addresses or ranges can access a project's space content. Users can also control the visibility of project’s space information through the settings on the Admin tab of the space.

security gif final.gif

We also offer an on premise solutions for a greater level of security. Contact us to learn more.