Comments by: Ian Hall, Head of Client Services, APAC, Synopsys Software Integrity Group
If 2020 was the year that business slowed while the world came to grips with COVID-19, then 2021 was the year that the adaptation was complete as business approached normality. Organisations’ workforces have continued to work remotely in many places, but organisations and people are no longer distracted by this.
From a technology perspective, this has meant that spending has increased as organisations embrace new technologies such as containerisation and cloud-native architectures. Along with this comes the corresponding need to update their security tooling. The shift to remote work in 2020 has meant that associated security tools such as VPNs, DLPs and endpoint protection are already in place allowing budgets to be used elsewhere. And due to the constant barrage of hack and data breach headlines, budgets within many firms have shifted to application security since protecting web applications, APIs and other application-layer aspects have become increasingly prioritised.
The increasing risks presented by the supply chain were top of mind in 2021. The attention paid to supply chain risk was actually ignited toward the end of 2020 when news of the SolarWinds hack came to light. Many multinational corporations with huge presences in Asia Pacific were impacted. Organisations scrambled to see if and how their software portfolios, and those of their vendors and partners, had been compromised. These fears were justified as there have been other hacks within Asia Pacific often involving groups tied to specific nations.
For instance, in May 2021, North Korean hackers were credited with a cyberattack on South Korea’s state-run Korea Atomic Energy Research Institute (KAERI). This was again a supply chain attack with the North Korean hackers leveraging a vulnerability in a VPN vendor’s software.
Additionally, in August 2021, Symantec reported various groups traced back to China were responsible for hacks at five major Southeast Asian telecommunication providers over several years. These hacks were again enabled by commercial software – in this case, MS Exchange vulnerabilities.
Ransomware attacks have also continued to become more and more popular with Check Point Software reporting an increase of 168% in Asia Pacific. The success of these types of attacks is certainly encouraging further attacks that what we’re observing on a global scale.
For instance, the Colonial Pipeline attack in the United States was very widely reported and hearing about a multi-million-dollar ransom being paid (even if most was recovered) is still incredibly enticing to hacking groups worldwide.
Predictions for 2022
In the summer of 2021, much of the United States and Europe had a revival in the area of travel for leisure although business travel is still lagging. This is in contrast to Asia Pacific where the COVID-19 response strategy has meant lengthy quarantine measures remain in place for visitors, serving a dual purpose of preventing the spread of COVID-19 while also discouraging travel. Travel continues to remain at a fraction of the level of where it was previously in places such as Australia, China and Southeast Asia.
With that in mind, I find it difficult to believe that many organisations are budgeting much into travel and what that might mean is the ability to re-allocate spending to other areas.
I see more digital transformations taking shape in 2022 as organisations look for efficiencies in a world where we are not quite sure if life will ever return to “normal.” I see there being an expansion of multi-lateral cooperation around cybersecurity. There have been two high-level meetings of US Government officials in Singapore where Cybersecurity was discussed – Secretary of Defense Lloyd J Austin III’s visit in July and Vice President Kamala Harris’ visit in August. A quick internet search of hacks or breaches in Asia Pacific brings up a common theme: the involvement of nation-state malicious actors. This is something that governments in the region are keen to get ahead of by cooperating to share information.
In the area of AppSec, organisations have been implementing static analysis tools, interactive application security testing tools, and software composition analysis tools (among others) with the desire to move quickly and enact a DevSecOps culture. And to do so in the year ahead, I’d like to see more strategic tooling management. There will be a continued push to run these tools faster, get more actionable results and also reduce excess noise created by the defects being identified.
Organisations do not want to waste developers’ time combing through a host of duplicate defects or fixing defects that are not exploitable. Thus, consolidating results from multiple tools and providing a prioritised list of defects will become a priority.
Infrastructure as code has been around for a number of years but I feel that in Asia Pacific adoption has been slower than in other regions. I see this changing in 2022 with it having taken hold somewhat recently, it will now become the norm along with cloud-native architectures.
With these changes, organisations will need to re-look at the security controls put in place since the same policies will not work when moving to new architectures. These technological changes are exciting but will mean that investment is also needed in staff so that they have the necessary skill to effectively support and protect the systems.
Comments by: Jason Schmitt, General Manager, Synopsys Software Integrity Group
In the face of this emerging battle that pits good versus on the cyberspace battleground, there are a few emerging trends to watch as 2022 unfolds:
Software supply chain risk management will rapidly emerge as a crucial discipline and top 3 investment area for CISOs as they realise the extent to which they lack visibility into software trust and have underinvested in software security programs relative to the extent of the threat to the business.
Cryptocurrency volatility and adoption will both increase, making them an even more attractive playground for malicious forces looking to extract ransom from data heists, as well as attempting to profit from manipulating and stealing cryptocurrencies.
Artificial intelligence has rapidly evolved from a promising technology to mainstream usage in virtually every area of IT and consumer technology. As a result, the security of AI-driven systems will become another important realisation for development and security teams as they understand the nature and extent of algorithmic manipulation targeted AI.
Comments by: Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group
2022 will be remembered as the year when a rising tide of organisations start leveraging application security (AppSec) as a business enabler.
Traditionally, AppSec is seen as an impediment, an arbitrary hurdle placed in the way of business progress. We’re passing a tipping point where organisations are realising that AppSec is inseparable from how we build, deploy, and run software.
For organisations that build software, 2022 will be the year of invisible AppSec. When AppSec tools are run automatically, and when results are integrated with existing processes and issue trackers, developers can be fixing security weaknesses as part of their normal workflows. There is no reason for developers to go to separate systems to “do security,” and no reason they should be scrolling through thousand-page PDF reports from the security team, trying to figure out what needs to be done. When security testing is automated and integrated in a secure development process, it becomes a seamless part of application development.
At the same time, organisations are coming to recognise that AppSec is a critical part of risk management, and that a properly-implemented AppSec program results in business benefits. Good AppSec equals fewer software vulnerabilities, which equals less risk of catastrophe or embarrassing publicity, but also results in fewer support cases, fewer emergency updates, higher productivity, and happier customers.
Comments by: Amit Sharma, Security Engineer, Synopsys Software Integrity Group
In the year ahead, cybersecurity awareness training remains essential to the prevention of a variety of cyber-attacks for organisations of all shapes and sizes. This is an important way for businesses to prevent phishing attacks. As more and more organisations adopt cloud solutions, cloud security strategies will continue to mature in the months and years ahead.
Automation and configuration are of utmost importance to maintain continuous sensitive data protection in the cloud. We will also see a continued rise in use of orchestration technologies such as Kubernetes and will require an increased demand for container as well as Kubernetes security solutions.
With the growth in supply chain attacks in 2021, maturity around supply chain governance and management is necessary for organisations. Security mechanisms must be put in place internally, in addition to that of partners and vendors. With so many software and application security solutions available to monitor various aspects of the software development life cycle, testing results should be consolidated and correlated using common platforms. Consolidated dashboards help development and security teams pinpoint actionable risk and react according to established policies.
In recent years, there has also been an uptick in API-based cyber-attacks against enterprise web applications. Knowing this, organisations should invest in API security activities. We’re seeing a strategic radical initiative in the growth of zero trust. This model helps prevent data breaches by eliminating the concept of trust in their security posture. Trust nobody, verify everybody. Granular access controls for users, data, resources, etc. is one way of employing a zero trust model.