By: Taylor Armerding, Software Security Expert, at Synopsys Software Integrity Group
Anybody who made predictions a year ago about 2020 could be forgiven for feeling a bit like the TV weather forecaster who got a note from an angry viewer telling him, “I just shovelled six inches of ‘partly cloudy’ off my driveway.”
Because nobody — literally nobody — could have had a clue back in November 2019 that by March the nation would be in the grip of a pandemic that would upend every industry including IT, moving the bulk of the workforce out of offices and into their homes, expanding the attack surface in new and diverse ways, and cancelling long-established live events like security conferences. So yes, everybody missed a very big thing — the biggest thing of the year.
But that doesn’t mean everybody should swear off of predictions for 2021. Predictions are, after all, speculative by nature. They say what is likely, not guaranteed, to happen, which is still worthwhile. And fortunately, there are a number of courageous prognosticators who are still willing to lay out their speculations in public.
Chances are, most of them will be right because they’re good at spotting and evaluating trends, and most of them have enjoyed some career success because of their ability to plan ahead.
So, in no particular order, here is some very informed speculation about the year ahead on everything from the cloud to ransomware. And yes, some of that speculation is based on the reality that the coronavirus has changed the world, for the long term.
Jason Schmitt, general manager, Synopsys Software Integrity Group
As profound of an impact as DevOps has had on application security programs and practices in the past few years, the acceleration of cloud adoption during this pandemic year is shifting the software security landscape even more dramatically.
While DevOps represents a clear evolution in the way that software is built, delivered, and operated, the architecture, composition, and very definition of applications are changing rapidly, leading to a rethink of software security approaches. These dual pressures of delivery velocity and cloud transformation will have a big impact on the software security market in the next one to two years.
To get ahead of this cloud transformation, software security will evolve again into a risk-based vulnerability management service that seeks to automate and orchestrate security services as part of the software build and delivery pipeline. We’ll see increased demand for API security, cloud application security, application security orchestration services, and consolidated risk-based vulnerability management approaches to software risk reduction.
Anthony Di Bello, vice president of strategic development, OpenText
Until this year, the cloud was still viewed as an option by most organisations. With COVID-19 and the overnight shift to working from home, it has become a mandate. This shift will create changes both in how security is focused and where attackers focus in 2021.
We’ll see a massive shift to cloud-native solutions in 2021. We’ll see increased adoption of secure access service edge (SASE); authentication and identity management; and host, data, and user-centric approaches to security. On-premises technologies will be upgraded or ripped out for cloud-native and containerised solutions. Infrastructure as a service and desktop as a service will enter a heyday.
Correspondingly, we’ll see attackers en masse set their sights on breaking container-based architectures such as Kubernetes, and very likely see the first major breach of such an environment. Vendors will be forced to adapt their technology to this new paradigm or risk going the way of antivirus.
In a connected world, espionage has increasingly become a digital endeavour. That will expand, FireEye predicts, beyond what it calls the Big Four (Russia, China, Iran, and North Korea) to include Vietnam and South Asia.
But information warfare now goes beyond espionage, to spreading disinformation. “While it used to be just Russia targeting the U.S., the number of parties involved is growing rapidly. Iran is now involved, and there are pro-China and pro-Cuba regional networks in Argentina,” Jamie Collier, cyber threat intelligence consultant at FireEye, told SecurityWeek.
“All this space is getting more complex — and a wider nexus of groups is trying to mimic legitimate media in their campaigns. We suspect that there are contractors, PR and marketing firms, and other non-state actors now involved in these information operations.”
Anthony Di Bello
Disinformation and misinformation impact businesses and the public at large in myriad ways. For a business, false or misleading claims can have a major impact on their bottom line. At scale in the public, misinformation can tilt the tide of public opinion. The good news is that at a smaller scale, cyber security and digital forensic teams have experience with this challenge.
So along with AI/ML platforms becoming easier to use, expect to see early applications of autonomous fact-checking technology appearing across various platforms next year. I expect to see applications for business systems, validating critical business process data, as well as the obvious consumer applications within social media platforms. Think secure supply chain approaches, but for information.
Thomas Richards, principal consultant, Synopsys
For the past several years, social engineering has been the primary attack vector used to breach organisations. Although we’ve seen organisations implement increasingly rigorous social engineering testing programs to increase awareness and lower the chances of a successful attack, humans will continue to be a popular target for cyber criminals.
Luke Moore, senior vice president of revenue, iProov
Social networks will turn their attention to user authenticity. Goodbye, anonymous trolls. To curb abuse and rebuild trust, social media platforms will offer additional capabilities to verify their users. Like the blue checkmark on Twitter, online identities will become easily recognisable as genuine. Currently, this type of confirmation is a manual process reserved for high-profile accounts in the public interest. To automate verification and extend a badge of trust to more users, social media platforms will need to deploy strong, irrefutable authentication that a user is a real human being. Biometrics offer the effortless usability and accuracy of authentication that will be needed to do this at scale.
Behavioural analytics for criminals
The Identity Theft Resource Centre
Cybercriminals are relying less on consumers’ personal information and more on their behaviours to commit identity-related crimes, making personal information less valuable and attractive to attackers. This could be a long-term trend.
Meanwhile, key U.S. government resources dedicated to financial and identity crime victims have been eliminated. We believe options for direct assistance will continue to decline in 2021.
Code? What code?
Meera Rao, senior director of product management (DevOps solutions), Synopsys
Over the past year, we’ve seen organisations rapidly building applications using low-code/ no-code platforms. Application security testing (AST) tools, particularly static application security testing (SAST) tools, work best when there’s code to scan. The way SAST tools work may require alterations to accommodate these platforms.
I also envision a change in how we build security into software. More and more AST tools will move toward providing the same experience as low-code/no-code platforms. By providing a few inputs to the tool, they will be able to generate all the integrations required to run the tool either on-prem or in the cloud seamlessly, just like low-code/no-code platforms.
So I predict truly building “Sec” into DevOps with low-code or no-code platforms.
Ransom, ransom everywhere
Rob Rosenzweig, national cyber practice leader, Risk Strategies
Ransomware attacks show no sign of stopping, and the pandemic has only ramped this space up. Next year we can expect to see more of these incidents hitting the healthcare and R&D industries as hackers look for intellectual property and trade secrets related to COVID-19. All industries will be investing more in cyber security and insurance coverage as remote work continues on a mass scale.
Anthony Grenga, director of IronNet’s CyOC
Ransomware almost doubled, from US$11.5B to US$20B in damages in 2020, but the cyber security community predicted this increase. Similarly, ransomware will continue to play a major role in 2021 with the steady move to “access as a service” and access marketplaces where skilled attackers not willing to take the heat of monetising their efforts will move to underground forums to sell off implants and credentials that will likely get flipped to ransomware deployments.
Securing your wheels
Dennis Kengo Oka, principal automotive security strategist, Synopsys
In 2020, a draft standard of ISO SAE 21434 Cybersecurity Engineering was released and WP.29 UN regulations on Cybersecurity and Software Updates were adopted. These standards and regulations put higher emphasis on cyber security for the automotive industry and will drastically affect auto manufacturers and suppliers especially in the next few years, both on technical and organisational levels.
As more software is used in automotive systems, it becomes even more important for automotive organisations to deploy automated solutions to help find and fix software vulnerabilities and weaknesses earlier in the software development.
Security as a platform
Nadir Merchant, general manager, IT Glue
The next evolution in security is a one-stop-shop platform. With expanded attack vectors due to remote working and no single software that substantially addresses all these new security needs, there will be an increase in demand for security platforms — not disjointed applications — to ensure top-notch security
Global robotic process automation (RPA) software revenue is projected to reach US$1.89 billion in 2021, an increase of 19.5% from 2020. Despite economic pressures caused by the COVID-19 pandemic, the RPA market is still expected to grow at double-digit rates through 2024.
“The key driver for RPA projects is their ability to improve process quality, speed, and productivity, each of which is increasingly important as organisations try to meet the demands of cost-reduction during COVID-19,” said Fabrizio Biscotti, research vice president at Gartner.
Remote goes mainstream
Tal Zamir, founder and CTO, Hysolate
With the shift to remote work brought about by COVID-19, enterprise “bring your own device / bring your own personal computer” (BYOD/BYOPC) programs have been making a huge comeback. But scaling them is proving to be cost-prohibitive for companies relying on traditional remote-access solutions like virtual desktop infrastructure and desktop as a service (DaaS). Endpoint security will have to evolve, so 2021 will bring greater investment in secure digital workspaces. Enterprises will look to extend their support for non-managed laptops, not just for contractors and third parties but for the entire workforce, and they will need to address manageability and privacy issues related to these programs.