It’s still the season for gazing into the crystal ball that tells us what’s going to happen in the world of cybersecurity for the rest of the year.
Or at least we wish it would. Crystal balls are always cloudy, which means predictions are hard—especially about the future, as the late, great Yogi Berra said. Indeed, weather experts have a tough time telling us what’s going to happen in a week, never mind the rest of a year that’s just beginning.
But forecasts, even if they’re not guaranteed, are still useful. Most people and organizations that succeed do so in part by planning ahead. And to do that takes both foresight and the courage to make good guesses that might not come true. Fortunately, here at Black Duck, we’ve got a cadre of experts who have both.
The predictions below aren’t guarantees, of course, but they are likely. Which means they can help you plan for a better 2023.
Sammy Migues, principal scientist
I think we’ll see some new and interesting side effects from technology that gave us deep fakes and ChatGPT. Technical interviews over video call should be a snap if you have a real expert sit in for you—and look and sound just like you.
If you don’t have such an expert handy, why not just send the questions to ChatGPT and read the answers? Don’t have time to learn how to configure that new security device? Forget technical support—ask ChatGPT for a step-by-step checklist! Don’t have time to write that new crypto module? Ask the AI to do it! Don’t have years of log data to support your massive budget request? Have the AI generate it in minutes! The possibilities are endless. Sure, the AI is just a mindless automaton spewing things it’s assembled but it can be pretty convincing at first glance.
Michael White, technical director and principal architect
As organizations become concerned about what could be in their software and where it comes from, we’ll start to peel back the layers of the onion and understand all the possible corner cases where we need to have appropriate controls.
This will mean much more transparency is required—not just software Bills of Materials (SBOMs), but also the whole chain of custody of who touched what, which tools were used, what testing was performed, etc. Organizations will look to toughen up their internal supply chain and software delivery infrastructure, as well as cascade down to their providers and vendors a requirement for transparency.
Jonathan Knudsen, head of global research within the Black Duck Cybersecurity Research Center
People will still not take software risk seriously, will continue to build things too fast without doing it properly, and will still not think about security until their house is actually burning.
Southwest Airlines should be a wakeup call. Obviously all companies are software companies, and how much is their meltdown going to cost them? But we’ve had at least five decades of wakeup calls and we just keep hitting the snooze button.
Sammy Migues
It’s been true every year for a while and will be true this year also: More of the world is becoming software, much of that software is new technology for which stakeholders and creators have little functional experience and even less security experience, that software is interconnected and will affect how some people live their lives, and all of it is vulnerable to attack.
We will start accepting as a day-to-day possibility that some mundane event can’t happen on a given day, such as no one can make toast today because all internet-connected toasters use an AI engine that’s under a DDoS attack.
Gunnar Braun, technical AppSec account manager
The value of open source software (OSS) is not just that it’s free. It’s the enormous amount of software components available for almost every problem you’ll ever face. Businesses are realizing their dependence on OSS as an enabler for their own business.
Many OSS projects are backed (funded) not just by large enterprises that produce a lot of OSS on their own, but now also by smaller companies. This is their investment in the quality and security of OSS so they can continue to use and rely on it. I predict that smaller companies will invest more in the OSS they use, and bigger players will build programs to bring order to the chaos, like Google’s Assured Open Source Software service. We will see what level of acceptance the latter will achieve.
Sammy Migues
Organizations, especially boards and their risk committees, will see that detective controls alone are not keeping their organizations safe enough from malware, ransomware, software vulnerabilities, and other technical sources or risk. They’ll begin investing in preventive controls even if that means stifling some amount of creativity in technology areas such as cloud, networks, development, and operations.
Anita D’Amico, vice president, cross-portfolio solutions and strategy
Organizations motivated by the need to rapidly respond to the next Log4J-like vulnerability will accelerate contractual requirements for SBOMs from their software suppliers. But how will the procurers know that these SBOMs are accurate? This will then create a demand for the validation of SBOMs to fulfill these contractual requirements.
Also, the acronym “SSDF” will start rolling off the lips of anyone concerned with software supply chain. The SSDF—Secure Software Development Framework—published by the National Institute for Standards and Technology in 2022, will become the north star for organizations that need to demonstrate best practices in software security.
Stanislav Sivak, associate managing security consultant
This year, we’ll see increased demand that software suppliers provide their open source SBOM and associated risk posture to their clients.
The efforts will be directed, at least in larger organizations, at having a holistic, continuous overview of software composition and its origins (COTS, open source, partner) instead of a point-in-time approach.
Such organizations will need to establish a centralized platform that can process the inputs, understand the context, generate the output such as an SBOM in the appropriate format, and provide intelligence around its data.
Boris Cipot, senior security engineer
For many years, we made slow progress with data security. Until recently, the model we used rested on the use of a username (who I am) with a password (what I know). That was then extended to a third factor—confirming one’s identity with another device (what I own).
Microsoft has now announced that it will move away from passwords and rely only on identification through their authentication app. This would certainly mean the end of bad password hygiene—from its misuse to the repeated use of the same one across multiple accounts. But we have yet to see how many online services will follow suit—not all companies have the same capabilities as Microsoft’s Authenticator app or Google’s ID Confirmation. Nevertheless, more services might start sending text messages or emails with a code. It is important to watch out, though, that unauthorized persons do not gain access to those resources.
Sammy Migues
I think 2023 is the year that multifactor authentication really becomes a common thing. Even if people don’t enable it, organizations will begin setting it as the default. It’s just easier on everyone to cause a little authentication friction compared to trying to recapture a stolen account.
Amit Sharma, security engineer
Cybersecurity awareness training will remain essential to the prevention of a variety of cyberattacks for organizations of all shapes and sizes. This is an important way for businesses to prevent phishing attacks. As more and more organizations adopt cloud solutions, cloud security strategies will continue to mature in the months and years ahead.
Automation and configuration are of utmost importance to maintaining continuous sensitive data protection in the cloud. We will also see a continued rise in use of orchestration technologies such as Kubernetes, and that will create an increased demand for container as well as Kubernetes security solutions. With the growth in supply chain attacks in 2022, maturity around supply chain governance and management is necessary for organizations. Security mechanisms must be put in place internally, in addition to that of partners and vendors.
Meera Rao, senior director for product management
Breaches we saw in 2022 were mostly related to social engineering attacks. We saw that all it takes to be in the headlines for the wrong reason is one vulnerable user. A user without training in social engineering is an easy target for a wide range of phishing and smishing attacks.
So regular employee training has taken center stage once again and will continue be a key goal for organizations in 2023 as well.