To say that 2020 was an unusual year would be an understatement. Business, government, healthcare, and education drastically changed with many organizations making massive digital transformations that were completely unplanned in many cases. The modifications nearly every organizations had to make were primarily driven by events outside of anyone’s control. However, their success in this transformation in many cases were beyond just notable, they were remarkable.
Nevertheless, with all of the adjustments that took place, the world of cyber attacker vs. cyber defender did not change much, other than the attack surface and threat landscape expanded beyond anyone’s ability to measure. As a result, we once again sat down with two of Checkmarx resident experts to better understand what we can expect to see next year in terms of emerging threats, new defense mechanisms, innovative software development and deployment approaches, and more. These predictions were all derived through observed trends, professional insight, and intimate knowledge of technology and software-driven industries as a whole. Their predictions are as follows:
Maty Siman, CTO
Security will race to catch development speeds, adapt to the cloud.
Developing and releasing applications fast while maintaining security is a mindset that while talked about, is not being executed effectively. Cloud development needs to happen fast with as many drops as possible. And with that, the current philosophy from many organizations is to get software quickly into production and roll back if a bug is found, so they can push features in a faster manner. But this doesn’t work with security. You can’t push code and then roll back to fix vulnerabilities, as it presents an opportunity for malicious actors to infiltrate your systems. In 2021, the tools used for application security that integrate into the tool chain must work much more rapidly, scale to cloud environments, and present actionable findings in a format that developers can understand and use to make quick fixes.
Open source hacking will accelerate while organizations look to thwart malicious actors.
Hackers find open source to be an easy way into organizations, and this trend will accelerate in 2021. Rarely does a week go by without a discovery of malicious open source packages. Yes, organizations understand they need to secure the open source components they’re using, and existing solutions help them in removing packages that are mistakenly vulnerable (where a developer accidentally puts a vulnerability into the package). But they are still blind to instances where adversaries maliciously push tainted code into packages. This needs to change in 2021.
As a baseline, it’s best to stick to well-known (vs immature) open source components for critical projects and review the policies by which open source projects accept new contributors (whether they allow anyone to contribute or do background checks to weed out the potential bad actors).
Demand for cloud-based security increases use of infrastructure as code (IaC).
The overnight digital escalation that occurred in 2020 forced many organizations to turn to the cloud to maintain business continuity. The cloud offers obvious advantages in order to support a dispersed workforce. But, with this transition comes new challenges, with one of the biggest revolving around the emergence of infrastructure as code (IaC).
IaC has forced developers into uncharted waters, due to the lack of proper training and mounting pressure to build code quickly in these environments. The actual architecture of this code is extremely complex and the security tools on the market today are generally too disparate to detect gaps in the code. In 2021, I expect to see malicious attackers exploit developers’ missteps in these flexible environments. To combat this, we will see a major concentration around cloud security training, IaC best practices, and additional spend allocated toward software and application security to support the demand of a remote workforce and more complex software ecosystems.
Security will report to development, not the other way around.
It’s no secret that developers are trendsetters in organizations that are driving toward digital transformation. Integrating security into software development needs to take both a bottom up and top down approach. Developers are opinionated and increasingly influential, and you cannot force them to do or use something they don’t buy into. To foster collaboration between security and development, security in 2021 will need to integrate into the development tool chain in a manner that the latter is most comfortable with. Developers are no longer willing to switch between different interfaces (one for development and one for security) - nor should they have to if speed is demanded equally with security. They want to consume all data, whether we’re talking about data pertaining to quality issues or security issues, in a streamlined manner. Security will meet developers where they are, using the interfaces and tools they prefer.
Context will be king. With holistic views of the application, security posture improves.
Next year, we’ll see a departure from “one trick pony” solutions. 2021 will bring AppSec market convergence as the demand from organizations to get a holistic perspective on the security posture of their applications from several vantage points (e.g., understanding application context and meshing it with infrastructure as code) drives adoption of one-stop-shop solutions that provide a full ecosystem view. When it comes to the security of open source in particular, more comprehensive views will allow organizations not only to know if they are consuming a vulnerable package, but also, and more importantly, whether or not the way that the application consumes it makes an attack or vulnerability possible.
This is one specific example. When a vulnerability exists in an open source component, in order for a hacker to exploit that vulnerability, three conditions need to be met: 1) you need to consume that open source in that vulnerable version, 2) your application needs to code to a specific function in that open source, and 3) your infrastructure as code needs to open a specific port. Only by having contextualized insight by combining these three pieces of data will you accurately be able to tell if you are vulnerable to attack.
Erez Yalon, Director of Security Research
Cloud-native security will take center stage.
API has been the buzzword when it comes to modern software development and security. But if 2020 was the year of the API, 2021 will be the year where cloud-native security steals the spotlight. APIs play a major role in cloud-native security, but the focus will turn to how cloud-based technologies continue to proliferate and increase in adoption across organizations. Securing the resulting ecosystems of interconnected cloud-based solutions will become a priority.
In its current state, widespread understanding of cloud-native security is still in its infancy. APIs, containers, and orchestration tools are now commonplace in software development, and organizations have been working hard to increase the connectivity between the different tools they have employed to boost efficiency and productivity. But at each point of connection, there is risk of a vulnerability that could lead to a breach. In 2021, we will see organizations come to grips with this reality of software complexity and take steps toward protecting themselves.
Vulnerable APIs will be most responsible for software and application-related breaches.
While awareness around API security has improved over the past few years, we can still predict that APIs will remain a top, if not the top, attack vector for adversaries in 2021. While APIs have become a convenient way for developers to build and run more complex applications, issues like access control pose a challenge to developers as accounting for and eliminating these vulnerabilities is a difficult task with few easy solutions.
As malicious actors continue to ramp up their API-targeted attacks and organizations play catch-up in their understanding of how these programs can be exploited, adversaries will capitalize on this gap in the near-term, forcing developers to quickly identify ways to better secure API authentication and authorization processes.
Legacy IoT devices will render consumers particularly vulnerable.
One other area I’ll be paying close attention to in 2021 is older models of IoT devices still being deployed and active in corporate and personal environments. Over the past few years, we’ve seen an explosion in connected devices, so much so that our lives are inundated with them. We’ve grown accustomed to having IoT devices operate in the background without thinking twice about replacing, upgrading, or scrapping them altogether.
As these gadgets grow older but remain in use, many manufacturers have stopped supporting them with software updates and patches as they prioritize newer models, making older models prime targets for malicious actors looking for easy access points. As time moves on, vulnerabilities in these now outdated products will be discovered and exploited. Like the saying goes, eventually “everything old becomes new again,” which rings especially true for hackers.
Some progress on IoT security, but still ground to cover.
We will still have a lot of ground to cover with IoT security come 2021. The industry has taken steps in the right direction, such as the U.S. government passing a bill on IoT security, but the issue continues to reside in the lack of action on the part of consumers and manufacturers. Until consumers put real pressure on governments and manufacturers for improved security for IoT devices, or manufacturers take place a great emphasis for IoT security, this will be a continuing cause for concern.