Strengthening Web Application Security and why it is 2nd most vulnerable threat vector in 2021 according to Forrester Research

Illustration by Aleksandr Smetanov from Ouch!

As the software development industry and threat landscape continue to evolve, Forrester’s State of Application Security Report for 2021 shows that web applications are still a major attack vector. In 2020 and 2021 shift to remote work drove companies to rely on applications in the cloud even more, which explains why the research shows that web applications are the most common form of external attack, followed by software vulnerabilities.

Here are the main takeaways from the report, covering why applications remain a top attack vector, application security trends, and which tools and processes organizations should put into place to achieve an effective application security strategy.

Data from: Forrester’s State of Application Security, 2021 Report

The report lists three main reasons why web applications will continue to be a main vector for external attacks:

  • The continuous growth in open source usage. Open source software are typically not packaged with enterprise grade security protections at the code level, in order to retain the open source licensing model. Further open source libraries publish their code in order to be open source, allowing cyber attackers to create custom intrusions by reverse engineering. Thus the more open source code is operationalized without appropriate additional security protection at the code level, the more the chances for an organization to fall prey to a Cyberattack.
  • A substantial increase in security research, resulting in a rise in the number of reported security issues including a high number of API vulnerabilities. Cyber attackers have access to and read these same reports, allowing them to leverage these vulnerabilities to mount massive zero-day vulnerability attacks.
  • The growing popularity of containerized environments, which suffer from a high volume of code and configuration issues. This provides easy targets for Cyber attackers.

Improving Application Security

According to the report, many organizations plan to prioritize improving their AppSec profile in the upcoming year, and 21% of security decision-makers surveyed said their companies will prioritize building security into development processes.  Here are achievable recommendations that can help organizations bake security into the software development life cycle (SDLC).

  • Integrate automated application security testing into the DevOps pipeline – a practice that is now relatively easy to adopt with “prerelease testing products offering deep integrations with core development tools like Azure DevOps, GitHub, Jenkins, and Jira.”
  • Security pros and security teams should nurture communication between security and development teams and embrace automated security testing tools throughout development.
  • Finding ways to speed up remediation once security issues are detected. It’s important to combine the vulnerability scan results to both improve visibility and get vulnerability prioritization right so that the most urgent issues are remediated swiftly. application security tools should not stop at detection, rather provide automated support for prioritization of security issues.
  • Provide developers with remediation guidance, and automate work processes like sign offs for policy creation and exceptions.
  • Create tools that developers love. As advanced AppSec tools focus on developers, it’s important security professionals collaborate with development teams to ensure security is woven into development workflows.  As the software development ecosystem evolves “new development methodologies mean changes to the traditional security paradigms.” This calls for investing in updated application security tools that can be easily integrated in future application development plans and architecture. Increasingly security tools in DAST (dynamic application security testing), cloud security, security as a platform, and WAF (Web Application Firewall) are gaining major traction and purchase in this space.
  • Cultivate developer security champion programs in order to promote a shared sense of ownership over security tasks. This will help organizations ensure that the shift left approach is being implemented and that security is addressed early in the development process.
  • Incorrect implementation of application functions related to authentication and session management are serious issues. They make it easier for attackers to compromise passwords, keys, or session tokens or exploit other implementation flaws.  Clearly understanding how to avoid such incorrect implementations, creating a culture of secure coding practice, and leveraging static code analysis in SDLC are key to avoiding such costly fundamental mistakes.  OWASP has a great article discussing the top 10 application security risks as observed in 2021.
  • Invest in acquiring and regularly reviewing Threat Intelligence pertaining to the industry.  “Knowing thy enemy” is a crucial saying in the landscape of Cybersecurity.  It is important for any organization to get a better understanding what kind of cyber attackers tend to target their industry and what type of information these attackers tend to target.  This kind of knowledge helps to further strengthen protection for those critical targets.

Encouraging Treands

The report points to some encouraging trends when it comes to the integration of automated security testing tools into the DevOps pipeline and advises that “new development approaches call for new tooling, and firms must keep up with the evolving protections to protect emerging application architectures.”

  • Data shows, security pros continue to invest in shifting security left, implementing testing tools early in the development process, understanding that this shift enables quicker remediation.
  • There is an increased focus on API security, while container security lags behind, despite the growing popularity of containerized environments.

Supply Chain and Critical Infrastructure Attacks

The Forrester report addresses the emergence of supply chain attacks, which have recently featured heavily in the news. The report reminds readers that it’s important to focus on the wider open source threat landscape.

While it’s important to pay attention to security risks to the supply chain, the report urges organizations to remain aware of open source security risks. It’s as important as ever to continuously detect and remediate vulnerabilities in open source libraries in order to ensure security and keep products and customers safe.

Critical Takeaway

According to the report, Forrester analysts discovered ‘ a number of promising trends that could lead to improvements in application security’, including an increased focus on the OWASP Top Ten and on-device application security testing, as well as a focus on security during the build phase in the Software Development Life Cycle (SDLC), via the use of DevSecOps methods that can be used to increase application security. According to the report, many organizations plan to prioritize improving their AppSec profile in the upcoming year, and 21% of security decision-makers surveyed said their companies will prioritize building security into development processes.

how can we help you?

Let’s continue discussion on how we can help you implement a done-for-you holistic Cybersecurity Management Posture.


    Penetration testing methodologies help to methodically identify security vulnerabilities in an organization. Think of this type of testing as your live-fire exercise for a Cyber-attack. Here are top four penetration testing methodologies that are industry-recognized and respected.

    October 19, 2021
  • What every CEO needs to know to prevent Ransomware

    In this session we look at 4 foundational layers of proven management approach that every C-Suite leader needs to know to implement better than adequate controls in Cybersecurity protection and posture to prevent Ransomware.

    March 29, 2022

    Here are some of the worst cybersecurity strategies, unfortunately, followed and adopted by many organizations. Such practice has repeatedly lead the companies to disastrous results in loss of business, reputation, and monetary fines.

    November 9, 2021

    A Data Breach is a multi-headed beast, and this beast is growing strong by leaps and bounds in its capability to cause monetary damage as well at the ways it can attack the most sensitive of data. In this podcast we detail 4 favorite attack areas in 2021 that cyber-attackers prefer to use to breach data and what can IT leaders do about it.

    March 29, 2022
  • Why point solutions in Cybersecurity won’t protect against a data breach, but holistic posture can.

    With the rise of ransomware, phishing mails, vishing (voice phishing), DDoS attacks, data breaches, nation state sponsored cyber attacks, it is becoming more important than ever before to have strong holistic Cybersecurity protection. Point solutions are not enough anymore to handle complex cyberattacks. Let’s look at why holistic cybersecurity instead is better than point solutions.

    November 10, 2021
  • Phishing Attacks come in many forms, learn more about each form and how to prevent them

    Phishing is one of the oldest and yet still prevalent form of Cyberattack. It comes in many forms and often come with combination of forms. In this post, let us learn more about each of the numerous types of Phishing attacks and how to prevent them.

    November 17, 2021

    Cybersecurity threats are causing a lot of losses for SMBs in 2021. As these organizations address cybersecurity in 2021, they need to understand what they are facing. Here are five top cybersecurity challenges faced by SMBs in 2021 as well as downloadable 5 tips to protection.

    October 20, 2021

    The fast changing and popular cryptocurrency investing market is attracting much attention from cyber attackers to prey on investors. Here are details on some of the prevalent scams that are popping up, for any investor in crypto to be aware of.

    November 4, 2021
  • How to Prevent a Data Breach

    A Data Breach is a multi-headed beast, and this beast is growing strong by leaps and bounds in its capability to cause monetary damage as well at the ways it can attack the most sensitive of data. There is no silver bullet solution for this is problem, furthermore, there are no one-set of controls to keep this beast at bay.

    March 29, 2022