Security breaches regularly made headlines in 2018, while advancements in DevOps, application security testing tools, artificial intelligence, machine learning, cloud adoption, and the Internet of Things raced forward. 2019 promises to be another busy year in technology and digital transformation, but what will that look like for software security? Here are our software security predictions for 2019:
We were excited to see DevOps move from a buzzword to serious business in 2018. Development teams of all sizes are adopting DevOps because it’s essential to keep up with the pace of software delivery in today’s business environment. As DevOps adoption increases, we expect to see more integration of security practices into DevOps processes and tools.
DevSecOps essentially means building security in, in part by adding automation and integration of application security tools early in the software development lifecycle (SDLC). While the theory of DevSecOps has been around for some time, many security teams struggle to implement best practices and bake security directly into their organization’s DevOps initiatives.
In 2019, we think that the view of security as being at odds with DevOps goals will slowly dissolve as development organizations embrace DevSecOps as automation technologies make security testing quicker and more manageable. We’re looking forward to DevSecOps moving from theoretical into the realm of the practical.
Interactive Application Security Testing Adoption Takes Off
One trends we’re sure to see emerge in 2019 is widespread adoption of Interactive Application Security Testing (IAST). In a rapid development and delivery environment, more and more processes are moving towards automation. IAST offers the ability to automatically test, leveraging your existing functional testing program. Security teams will see the advantages of this additional set of data points associated with the risk in your web application. We expect IAST to become very popular as we move through 2019 due to its speed and effectiveness earlier in the SDLC.
Artificial Intelligence and Machine Learning Turn to Hacking
Artificial Intelligence (AI) and Machine Learning (ML) aren’t just buzzwords – today they are real tools to work with. We see AI/ML already in use in defense tools to detect anomalies and potential threats, meanwhile there is a lot of speculation about malicious actors working to disrupt these algorithms. The use of AI/ML in hacking tools is budding, and we predict that AI/ML-based or -assisted attacks will become more frequent in 2019.
Cloud Adoption Rises
Cloud services have come a long way in the last few years, from Infrastructure as a Service (IaaS), via Platform and Software as a Service (PaaS/SaaS), all the way to Serverless computing. Now Function as a Service (FaaS) on the rise, which abstracts many layers of production. While these services have some downsides, they’re also convenient, cost-effective and enable vendors to focus on their primary business goals. Amazon, Google, and Microsoft offer reliable services and many of these areas, and we expect the cloud adoption trend to continue.
Vulnerabilities Abound in the Internet of Things
IoT simply is not secure today. While there are secure devices available on the market, they’re the exception rather than the rule. Perhaps more concerning to our team is that we don’t see a revolution in IoT security on the horizon. IoT will continue to be vulnerable in 2019. Brace yourself.
Microservices Deliver While API Security Evolves
Microservices Architecture is common practice today. When everyone is working to be agile, delivering quickly and intelligently, microservices have a great deal to offer. When utilizing microservices, organizations maintain a multi-services environment, which requires inter-services communication, or Application Programming Interfaces (APIs). These APIs are part of the growing attack surface available to malicious actors, so we expect more attempts to abuse API vulnerabilities in 2019. Meanwhile, the security industry will work to define the security measures needed for APIs.
Open Source Analysis Increases
Open source code, specifically open source code used as part of applications, makes us redefine the concept of “Trust.” Vendors are aware that they cannot blindly trust third-party open source modules; it would be naive to trust that not only is a specific open source solution free of malicious vulnerabilities, maintained as required, and built securely, but all its own third-party open source modules are as well. Given the understanding that visibility into open source code is essential, we expect more organizations will keep an eye on the open source in the code they deploy. Those who neglect the responsibility to manage their open source will encounter difficulties.
Lack of Security Awareness Leads to More Breaches
One of the biggest security threats we face today, as users of technology in every aspect of our lives, is the loss of privacy. Sometimes we lose our privacy because we “choose” to do so (usually as a tradeoff for convenience or simple not reading an end user license agreement), but many times it’s the result of malicious intent, negligence, or lack of security awareness on the part of the organizations who create the applications and devices we use. Although this subject makes headlines all the time, highlighted by legislation such as GDPR, bad actors stand to gain a lot of profit through cybercrimes. Unfortunately, we expect to see more breaches and leaks of private information in the year to come.