Paul Farrington, EMEA CTO at Veracode, offers his predictions in terms of how he expects technology to evolve throughout the year and discusses how various technologies will be utilised within the business environment for innovation.
We should expect elections to be compromised
When it comes to election hacking, we’re in a time where we need to assume it’s happening across the globe until we can prove it isn’t.
There are plenty of reasons why foreign nation-states and big business would want to influence the results of an election, and the incentives – both monetary and power-based, are only going to grow.
From leveraging social media to create echo chambers that propagate certain agendas, to planting surveillance software on applications to monitor voter behaviour, bad actors are finding more and more ways to sway elections and it’s going to take a lot of voter education and awareness to outmanoeuvre them.
I expect we’ll start to see new, even stealthier tactics aimed at influencing voter opinion and the main targets will continue to be the political parties themselves. Our recent 2019 State of Software Security report found the government and education sector has the highest rate of security debt (unresolved software flaws) among the industries studied. Knowing this, all parties should assume there is a significantly increased risk of being targeted by attackers – and take appropriate steps to limit a breach, including addressing application flaws to minimise the risk of an attack.
Reducing mounting security debt will be paramount
One of the major reasons behind successful cyberattacks is the ability to exploit vulnerabilities in an application’s code. When organisations don’t address vulnerabilities, they leave themselves wide open to attacks.
Our 2019 State of Software Security report found the median time to fix flaws is 68 days for applications scanned 12 or fewer times per year, but this decreases by 72% to 19 days when applications scanned are scanned 260 or more times a year.
In 2020, reducing cybersecurity debt (the amount of open vulnerabilities) by introducing more frequent scanning of code at regular intervals should be a focus for any organisation serious about making best practice cybersecurity a focus.
Leading development teams will incentivise secure coding
Most organisations today acknowledge that they could not do what they do, or remain competitive without software. Software runs the world. The absence of security isn’t always conspicuous, until you are confronted with the effects of being attacked. This year, we’ll see companies looking at ways to incentivise best-practice security at every point in the software delivery process.
In order for people to truly care about making security a priority, organisations must integrate security into the ways in which development teams and engineers are incentivised. We should be providing developers with simple cues to encourage the right behaviour, but this has to be realistic. Very few software applications will ever reach zero security defects, nor would that even be a good use of company resources to achieve this.
First, we should agree what the security standards are for the team. Next, we classify those security bugs that are the highest priority, those that are important but not showstoppers, and those which, while not ideal are acceptable to exist. Especially for the first two categories, we should track the average time to fix a security bug. Once a baseline is established we need to negotiate targets so that engineers and product owners can buy-in. These metrics may ultimately help to determine compensation, but perhaps initially are linked to softer benefits for the team.
At the end of the day, as businesses we are trying to sell more products at a higher margin than our competitors do, so one way to differentiate is by leveraging security as a strength. If an organisation and its developers can work together to create, and stick to, these accountability measures, security will improve, in turn creating a competitive advantage.
Developers will try to find the balance between security and innovation
One billion Docker images are downloaded every two weeks. This is empowering developers to have control over how their code is deployed in target systems, helping organisations scale far faster and ensure fidelity of thought is maintained.
Containers are enablers, but as of today, they do not adequately address security issues.
With containerisation now considered the standard when creating code, there is a greater need to ensure security is a core part of the process going forward, especially as the technology continues to grow, making it an increasingly lucrative target for cybercriminals.
There is a paradigm shift taking place and the rules are being made up as we go along. A lot more research and innovation needs to happen on a security level to empower developers, while giving them the tools necessary to do their job securely. This year, all organisations using containers need to make sure they are secure without stifling innovation.
DevSecOps will be key to clearing software flaws
In organisations, development teams are being asked to take ownership of integrating security earlier in the software development life cycle. Likewise, security teams are more actively engaging on the development side and there is less friction between the two than in the past.
Organisations are looking at DevSecOps as a way to address the complexities of managing and securing cloud-native applications. Building understanding and cooperation between development and security teams, while also automating testing, can help organisations address security earlier in the development process while also creating secure code. Our latest State of Software Security report found that fixing vulnerabilities has become just as much a part of the development process as improving functionality, suggesting developers are shifting their mindset to view the security of their code as equal to other value metrics.
Development teams can’t ignore existing flaws nor choose to fix the new flaws before the old ones. Instead, they should be resolved in tandem, by fixing new flaws as they are discovered and using periodic ‘security sprints’ to fix unresolved flaws that could be exploited. There are challenges that can arise when incorporating security earlier in the development process, but with the threat landscape continuing to grow, organisations will see the benefits of making DevSecOps a priority this year.
Developers will select security tools which take less than 10 minutes to run in a development pipeline
DevOps teams that are able to integrate security testing into their development pipelines are twice as confident in their security than those that don’t automate security tests. As engineers look to automate tests in the integration pipeline, those tools which complete in a short space of time will be selected as a priority. Typically, this will mean that results are expected back within 10 minutes and accuracy is paramount. Noisy, lengthy security tests will either not go into pipelines or will be kicked out of the automation process.
Cloud-native technologies will become the de facto choice for development teams – organisations will need to prioritise security
There has never been a better time to work in software than now. Developers are presented with an abundance of choice when designing and creating software applications. Systems of the past were designed as monoliths. Having core logic tightly bound to a huge blob of software is today seen as an anti-pattern for stability and development velocity.
Overwhelmingly, developers are choosing architectures that allow failure to happen in one part of the system, without having an impact on the remaining system. Microservices, containers, orchestrators, services meshes and serverless computing are all enabling technologies that are allowing developers to achieve greater velocity. This, however, brings a security challenge.
A 2019 survey found that 35% of respondents had a lack of understanding of how to deal with the attack vectors specifically relating to cloud-native applications. Interestingly, 33% admitted that their development teams don’t involve cybersecurity experts for fear of being slowed down.
‘Everything-as-code’ (EAC) will include security
Everything needs to be code, but that’s not always the case today. We need software to be deployable, and increasingly, not to have to worry about how that will happen. ‘Infrastructure-as-code’ takes care of that, by ensuring that the configuration of how software gets run, just happens without humans needing to execute manual steps to bring services up. This principle can apply to anything, including application security.
This year, performant DevOps teams will ensure that Security-as-code, is a design feature. Security tests will be written into the configuration of how software is checked (and increasingly patched) before deployment will be standard.
Supply chain security needs to be brought into the next decade
Supply chains are becoming more complex and with this complexity comes more opportunity for cybercriminals to cause chaos.
Research shows that third-party software has more vulnerabilities than internally developed software. The people that care about the security of a particular software are more often than not the ones using it, not the ones creating it.
With developers releasing updates far more frequently, as well as leveraging different open source code or software from multiple parties, organisations need to ensure they have the full picture of the code they are using at all times.
Third-party penetration tests no longer work for the modern development cycle – which is now often daily rather than every few months. It is the organisation’s job to make sure certain standards are upheld so security can be ensured throughout the supply chain in real-time.
A total of 84% of professionals agree that their companies are concerned about the potential data security risk posed by third-party applications. The focus this year should be on making security part of an organisation’s competitive advantage and this should start with the supply chain.