Here is a recap from seven experts, of the current year’s cybersecurity challenges and what we can look forward to next.
2020 has been a year filled with unpredictability. However, several trends are clear in the world of cybersecurity. Here are the ruminations and predictions of seven experts.
- Goodbye, centralized security
In 2020, we saw attacks on unlikely-seeming targets, from Jack Daniels to tugboats. Looking ahead, we will see attackers continue to profit from the asymmetric advantage of software exploits, delivering punishing attacks on organizations of all types.
Some things will certainly not change in 2021.
➣ Massive amounts of valuable data will continue to be placed online in public places with no protections.
➣ People will continue to choose easily-guessed passwords that they use across multiple accounts and continue to click on sketchy links in emails.
➣ Organizations will continue to not keep up to date with software patches and versions. They will continue to ignore more than a half-century of accumulated wisdom about defence in depth, least privilege, and all the other lessons about software development the world learned the hard way.
On a more hopeful note, 2021 should be the year where we officially bury the centralized, isolated model of software application security. This was the somewhat naïve approach many organizations first adopted, wherein a single group would have responsibility for the security of all applications being built.
Time has shown that this approach results in a slow, frustrating process. Security and development organizations end up at loggerheads, and the end result is applications that are hardly more secure and are slower to market.
In the new model, security is inseparable from software development. It is baked into every phase, from design through implementation all the way to maintenance. Security teams can provide expertise and support, but security is automated and integrated with the software development process: a seamless addition that results in safer, more secure, better products.
As 2021 progresses, I predict more and more application teams will take full responsibility for their own security, with appropriate support from the security team. As responsibility and budgets shift, application teams will increasingly adopt a DevSecOps process, in which automation is fully leveraged to maximize velocity, and a culture of continuous improvement that allows each team to tune and optimize processes.
— Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
- Learning from Estonia?
By the end of 2021 there will be very few non-digital organizations, and many will be just starting to be digital. Plenty will be in the process of cloud migration, and the numbers of cloud-native businesses will be high.
Like the Y2K situation that saw systems having to upgrade overnight, the COVID-19 pandemic has forced change. Like with Y2K, plenty of IT issues and plans will have to be finished or tweaked in the following months and years but it is still been a huge transformation. Half of all companies will be completely transformed by the new digital requirements.
I think financial services will travel the furthest but it will be particularly interesting to see how traditional brick- and-mortar businesses adapt to the requirements of a more digital life. The slowest transformation will likely be in government functions. These governments can learn from Estonia, where government is completely digital and all actions from voting to payments can be handled digitally.
— Marten Mickos, CEO at HackerOne
- Watch out for misconfigurations and missteps
As businesses recover from the ongoing pandemic and economies are rebuilt, I predict that there will be an uptick in application development and deployment. That means the rapid introduction of new assets, applications and networks; a growth that will be challenging to manage from a security perspective.
➣ I believe the biggest challenge to both businesses and government agencies will be managing their attack surfaces and the respective areas of security exposures as their infrastructure rebuilds and recovers.
➣ I expect to see more low-hanging fruit being introduced within attack surfaces, as companies work on deploying new infrastructure following the pandemic. I mostly expect these low hanging fruits to be classified as security misconfigurations within cloud deployments leading to critical vulnerabilities or exposure.
➣ In APAC, we are still embracing the cloud-first approach and, with the shift to the cloud, I expect to see companies adopting newer technologies, such as Kubernetes, to orchestrate the deployment of critical applications and services. With new technologies and methodologies being adopted, there are usually misconfigurations and missteps along the way that may lead to vulnerabilities.
As we have seen in the last quarter of 2020, attackers—in order to achieve their fiscal and political goals from ransomware attacks—are targeting organizations that store critical information (medical records) or host critical infrastructure (hospitals).
Unfortunately, this trend will continue, with a total disregard of morals, targeting industries or companies that service the most vulnerable people in our society.
This is a grim outlook on the future, but given the pace of current attackers, I would not be surprised if infrastructure that is critical to our livelihoods is targeted (SCADA systems, Telco’s, Healthcare, Education).
— Shubham Shah a.k.a @notnaffy; HackerOne (Australia) affiliate
- The challenge of authentication weaknesses
Due to the COVID-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs. I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL Injections and basic authentication bypasses.
For 2021, I think the biggest security threats to businesses will be authentication bypasses and access control issues, which I find a lot of. I think they will continue to have a significant impact on any company. This will probably continue since the issue is based on the context of the application. Scanners do not pick up these issues; hence the need to have experienced and trained eyes looking for them.
In the Asia Pacific region, One-Time Password bypasses tend to be quite prominent. While 2FA is a compliance requirement in APAC, developers tend to roll out these features quickly but not securely.
On the other hand, previously-common vulnerabilities such as CSRF or SQL Injection will be reduced due to frameworks adopting secure default settings.
— Samuel Eng a.k.a @Samengmg; HackerOne (Singapore) affiliate
- Atmosphere of uncertainty continues
The shock of 2020 has seen even the most conservative businesses let go of their qualms about remote-working and undertake some sort of unexpected digital transformation.
➣ When we asked a selection of CISOs worldwide about their experiences, 36% said their DX initiatives had accelerated as a result of the pandemic
➣ Another 30% had seen more attacks on their IT systems
➣ 64% believed their organization was more likely to experience a data breach
As we reach the end of the year, it is clear that nothing is going ‘back to normal’ anytime soon. Practically overnight, businesses have shifted to a remote workforce. We have a situation where we have effectively expanded the corporate network boundaries to the home.
We cannot rely on devices and endpoints to be where security stops. Using devices for work and home and everything else—combined with trying to be as productive and efficient as possible—means there are so many more openings to the attack surface.
➣ Attackers will continue to take advantage of the atmosphere of uncertainty. Preparing our workforce for a security issue will be key to preventing attacks that rely on human weakness.
➣ More businesses will have to adopt Zero Trust models to ensure companies can start feeling secure without their firewall and perimeter security.
As a bug bounty platform, we believe ethical hackers can be a good weapon against cybercriminals, testing systems round the clock in the same way that bad hackers do, allowing organizations to beat the criminals at their own game.
— Miju Han, Senior Director, Product Management, HackerOne
- Increased demand for API, App and Cloud security
Cloud transformation will have a big impact on the software security market in the next 1–2 years. Software security evolved over the last 5–10 years from a scan-and-report audit mindset to more of an assurance practice designed to improve security without inhibiting speed and innovation.
As the use of open source rose, software composition analysis became an essential part of security assurance programs, significantly increasing the risk from license misuse and security vulnerabilities of open source and third-party components.
With the adoption of cloud infrastructure, micro-services and APIs for everything, we are seeing a similar and even bigger shift in the very definition of an application. They are more often than not composed of a collection of third-party services, APIs, micro-services and cloud-native components and services orchestrated via cloud providers or managed orchestration platforms like Kubernetes.
To get ahead of this cloud transformation, software security will evolve again into a risk-based vulnerability management service that seeks to automate and orchestrate security services as part of the software build and delivery pipeline. Security teams will arm developers with “point of capture” tools and coaching to eliminate vulnerabilities during development and provide policy guardrails for enabling speed. Throughout the pipeline, orchestrated security services will automatically reinforce the policy guardrails and enable risk-based vulnerability management for overburdened, under-resourced security teams that are challenged to get in front of cloud adoption. As a result, we’ll see increased demand for API security, cloud application security, application security orchestration services and consolidated risk-based vulnerability management approaches to software risk reduction.
— Jason Schmitt, General Manager, Synopsys Software Integrity Group
- The scourge of ransomware continues
For the past several years, social engineering has been the primary attack vector used to breach organizations. While we have seen enterprises implement increasingly-rigorous social engineering testing programs to increase awareness and lower the chances of a successful attack, humans will continue to be a popular target for cybercriminals.
And, as attackers get more sophisticated in their approach, ransomware attacks will most likely continue to cause havoc for companies.
— Thomas Richards, Principal Consultant, Synopsys Software Integrity Group