2019 proved to be a hectic year in the cybersecurity landscape. With 3,813 data breaches
occurring in the first six months alone, (exposing over 4.1 billion records,) and 12174 new vulnerabilities
discovered in commercial and open source software, this year has certainly been one for the memory books. With all signs pointing to 2020 being equally active, we sat down with three of our resident experts to better understand what we can expect to see next year in terms of emerging threats, new defense mechanisms, and more. These predictions were all derived through observed trends, professional insight, and intimate knowledge of our industry. Their predictions are as follows:
Maty Siman, Founder & CTO, Checkmarx
In 2020, we’ll see an increasing number of cybercriminals use artificial intelligence (AI) to scale their attacks. Not long ago, it took days or weeks for an adversary to carry out a single, basic phishing attack. Today, we’re seeing AI being used in an array of attacks including whaling, whereby attackers use AI for social network recon, making their efforts substantially more targeted and effective. AI will also open the door to mutating malware based on attackers using genetic algorithms that are capable of learning, increasing their chances of success. What’s particularly concerning is that these mutations often bypass traditional anti-virus solutions by altering their signature or structure along the way, meaning the malicious payload is free to wreak havoc on systems.
Infrastructure as Code:
Until recently, organizations’ security spend primarily focused on protecting traditional IT infrastructure. Today, that infrastructure is now flexible, with organizations scaling up and down as needed, thanks in-part to infrastructure as code. This has immense benefits, but in 2020, we can expect to see attackers abusing developers’ missteps in these flexible environments. With the introduction of infrastructure as code, network and security architectures are being defined with software, which impacts the traditional IT security spend. Infrastructure as code will lead to more dollars allocated toward software and application security, which previously only accounted for around 10% of IT security budgets, drastically shifting traditional security spend.
With organizations increasingly leveraging open source software in their applications, next year, we’ll see an uptick in cybercriminals infiltrating open source projects. Expect to see attackers “contributing” to open source communities more frequently by injecting malicious payloads directly into open source packages, with the goal of developers and organizations leveraging this tainted code in their applications. As we see this scenario unfold, there will be a growing need for processes like developer and open source contributor background checks. Currently, open source environments are based entirely on trust - organizations typically don’t vet developers’ past projects or reputations. However, as attackers take advantage of open source projects, this trust will begin to erode, forcing organizations to take proactive mitigation steps by thoroughly vetting the open source code within their applications, as well as those providing it.
Erez Yalon, Head of Security Research, Checkmarx
While we saw IoT vendors “talk the talk” about the importance of IoT security and privacy in 2019, it hasn’t translated to them “walking the walk” yet and truly prioritizing consumer security equally with profit. With consumers’ becoming more aware of IoT security issues, vendors will be forced to hold a greater responsibility in ensuring their devices are secure in 2020. On the other end of the spectrum, I also expect end users to take a greater interest in researching vendors’ security track records and credibility before purchasing IoT devices for their own personal use, which could lead to irresponsible vendors quickly finding their products stacking up in warehouses and store shelves.
In the year ahead, API abuses will become an even more prominent vector for data breaches within enterprise applications. Today, there’s almost no way to develop a modern application without some sort of API integration, and adversaries are taking note, now setting their sights on this emerging attack frontier. API security education will be paramount in 2020 and beyond in order to reduce these related risks and the vulnerabilities that cause them. Developers should leverage resources available to them, such as the OWASP API Security Top 10
list, which tracks the risks that organizations face concerning their usage of APIs.
Matt Rose, Global Director of Application Security Strategy, Checkmarx
In 2020, we’ll see the proliferation of microservices in software architecture with development teams placing an equal emphasis on speed and security. The utilization of these small code blocks is becoming essential to maintaining agility in the CI/CD pipeline, and a modernized, secure microservices approach will become the new normal for software development next year and beyond.
Voting infrastructure is no longer a physical crank arm and corresponding button. The vast majority of voting and vote-counting now takes place on machines, which run on commercial and open source software, essentially making them just as vulnerable as any other browser-enabled, network-connected resource. I expect attackers that are looking to interfere with the 2020 elections to find ways to manipulate the data going into or coming out of these machines. With this, common techniques such as SQL injection can be expected to appear, where adversaries will attempt to manipulate a query string and augment — or even outright delete — voting data. The effects of such hacks are clear, as voting data could be skewed, or worse, votes could be erased entirely.
One of the greatest challenges currently facing security and development teams revolves around security-related data overload, which hinders software delivery speeds and security integrity. Application security testing tools that leverage automation to produce high-quality results will continue to evolve in 2020, helping organizations shift to a true DevSecOps model by automating vulnerability detection and triage, reducing software time-to-market overall. In order to understand their threat landscape better, and what should be automated in their SDLC, next year, organizations must stop solely looking at the top industry threats to shape their defense strategies, and instead look at the top threats relevant to their own infrastructures and business models. Automated security tools will support this effort, streamlining triage processes and helping teams focus on their most pressing vulnerabilities first. Do you have any cybersecurity predictions of your own for next year? If so, share them with us on Twitter via our handle (@Checkmarx)! Additionally, if you’d like to see how our 2018 forecasts stacked up from last year, check out our blog here