By: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
Some things will certainly not change in 2021. Massive amounts of valuable data will continue to be placed online in public places with no protections. People will continue to choose easily guessed passwords that they use across multiple accounts and continue to click on sketchy links in emails. Organisations will continue to not keep up to date with software patches and versions. Organisations will continue to ignore more than a half-century of accumulated wisdom about defence in depth, least privilege, and all the other lessons about software development that organisations have learned the hard way.
In 2020, we saw attacks on unlikely-seeming targets, from Jack Daniels to tugboats. Looking ahead, attackers will continue to profit from the asymmetric advantage of software exploits, delivering punishing attacks on organisations of all types.
On a more hopeful note, 2021 should be the year where we officially bury the centralised, isolated model of software application security. This was the somewhat naïve approach many organisations first adopted, where a single group would have responsibility for the security of all applications the organisation was building. Time has shown that this approach results in a slow, frustrating process. Security and development organisations end up at loggerheads, and the end result is applications that are hardly more secure and are slower to market.
In the new model, what we might call Application Security 2.0, security is inseparable from software development. It is baked into every phase, from design through implementation all the way to maintenance. Security teams can provide expertise and support, but security is automated and integrated with the software development process, a seamless addition that results in safer, more secure, better products.
As 2021 progresses, I predict more and more application teams will take full responsibility for their own security, with appropriate support from the security team. As responsibility and budgets shift, application teams will increasingly adopt a DevSecOps process, in which automation is fully leveraged to maximise velocity, and a culture of continuous improvement allows each team to tune and optimise their processes.
By: Marten Mickos, CEO at HackerOne
By the end of 2021 there will be very few non-digital organisations. There will be many more that are just starting to be digital, plenty in the process of cloud migration and a growing number of organisations that are cloud native and have been digital from the off.
Like the Y2K situation that saw systems having to upgrade overnight, The COVID-19 pandemic has forced change. Like with Y2K, plenty will have to be finished or tweaked in the following months and years but it’s still been a huge transformation. Half of all companies will be completely transformed by the new digital requirements.
I think financial services will travel the furthest but it’ll be particularly interesting to see how traditional brick and mortar businesses adapt to the requirements of a more digital life. The slowest transformation will likely be in government functions, where many have not digitised when other organisations have. Those governments can learn from Estonia, where government is completely digital and all actions from voting to payments can be handled digitally.
By: Shubham Shah a.k.a @notnaffy; Hacker with HackerOne (Australia)
As businesses recover from this pandemic and economies are rebuilt, I predict that there will be an uptick in application development and deployment. That means the rapid introduction of new assets, applications and networks; a growth that will be challenging to manage from a security perspective. I believe the biggest threat to both businesses and government agencies will be managing their attack surface and the respective security exposures as they rebuild and grow.
I expect to see more low hanging fruit being introduced within attack surfaces, as companies work on deploying new infrastructure following the pandemic. I mostly expect these low hanging fruits to be classified as security misconfigurations within cloud deployments leading to critical vulnerabilities or exposure. In APAC, we are still embracing the cloud-first approach and, with the shift to the cloud, I expect to see companies adopting newer technologies, such as Kubernetes, to orchestrate the deployment of critical applications and services. With new technologies and methodologies being adopted, there are usually misconfigurations and missteps along the way that may lead to vulnerabilities.
As we have seen in the last quarter of 2020, attackers are targeting companies that store critical information (medical records) or host critical infrastructure (hospitals) in order to achieve their goals from ransomware attacks (large ransoms being paid out). I unfortunately believe this trend will continue, with a total disregard of morals, targeting industries or companies that service the most vulnerable people in our society. This is a grim outlook on the future, but given the pace of current attackers, I would not be surprised if infrastructure that is critical to our livelihoods is targeted (SCADA systems, Telco’s, Healthcare, Education).
By: Samuel Eng a.k.a @Samengmg; Hacker with HackerOne (Singapore)
Due to the COVID-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs. I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL Injections and basic authentication bypasses.
I think the biggest security threats to businesses in the next year are authentication bypasses and access control issues, which I find a lot of. I think they will continue to have a significant impact on any company. This will probably continue since the issue is based on the context of the application. Scanners do not pick up these issues hence the need to have experienced and trained eyes looking for them.
In APAC, OTP bypasses tend to be quite prominent. 2FA is a compliance requirement that has rapidly emerged in APAC, and this means developers tend to roll out these features quickly but not securely. On the other hand, previously common vulnerabilities such as CSRF or SQL Injection will be reduced due to frameworks adopting secure default settings.
By: Miju Han, Senior Director of Product Management at HackerOne
The shock of 2020 has seen even the most conservative businesses let go of their qualms about remote work and undertake some sort of unexpected digital transformation. When we asked a selection of CISOs worldwide about their experiences, 36% said their digital transformation initiatives have accelerated as a result of COVID-19. Another 30% have seen more attacks on their IT systems, and 64% believe their organisation is more likely to experience a data breach.
As we reach the end of the year, it’s clear that nothing is going ‘back to normal’ anytime soon.
Practically overnight, businesses have shifted to a remote workforce. We’ve got a situation where we’ve effectively expanded the corporate network boundaries to the home. We can’t rely on devices and endpoints to be where security stops. Using devices for work and home and everything else, combined with trying to be as productive and efficient as possible, means there are so many more openings to the attack surface.
Attackers will continue to take advantage of the atmosphere of uncertainty. Preparing our workforce for a security issue will be key to preventing attacks that rely on human weakness. More businesses will have to adopt zero trust models to ensure companies can start feeling secure without their firewall and perimeter security. We need innovative solutions that can keep up with the current demand for speed. Ethical hackers can test systems round the clock and in the same way that cyber criminals do, allowing them to beat the criminals at their own game.
By: Jason Schmitt, General Manager of the Synopsys Software Integrity Group
Cloud transformation will have a big impact on the software security market in the next 1-2 years. Software security evolved over the last 5-10 years from a scan-and-report audit mindset to more of an assurance practice designed to improve security without inhibiting speed and innovation. Software composition analysis became an essential part of security assurance programs as the use of open source rose, significantly increasing the risk from license misuse and security vulnerabilities of open source and third-party components.
With the adoption of cloud infrastructure, micro-services and API’s for everything, we’re seeing a similar and even bigger shift in the very definition of an application. They’re more often than not composed of a collection of third-party services, APIs, micro-services and cloud-native components and services orchestrated via cloud providers or managed orchestration platforms like Kubernetes.
To get ahead of this cloud transformation, software security will evolve again into a risk-based vulnerability management service that seeks to automate and orchestrate security services as part of the software build and delivery pipeline. Security teams will arm developers with “point of capture” tools and coaching to eliminate vulnerabilities during development and provide policy guardrails for enabling speed. Throughout the pipeline, orchestrated security services will automatically reinforce the policy guardrails and enable risk-based vulnerability management for overburdened, under-resourced security teams that are challenged to get in front of cloud adoption. As a result, we’ll see increased demand for API security, cloud application security, application security orchestration services and consolidated risk-based vulnerability management approaches to software risk reduction.
By: Thomas Richards, Principal Consultant at Synopsys Software Integrity Group
For the past several years, social engineering has been the primary attack vector used to breach organisations. While we have seen organisations implement increasingly rigorous social engineering testing programs to increase awareness and lower the chances of a successful attack, humans will continue to be a popular target for cyber-criminals. Ransomware attacks will most likely continue to cause havoc for companies as the attackers get more sophisticated in their approach.