As we round out the final year of the decade and plunge headfirst into the 2020s, now is a good time to take a step back and reflect on the last year, as well as look forward at the potential challenges and changes we can expect to see over the next twelve months, or even ten years. Here are some concepts I think are worth talking about as we go into the ’20s.
The “unknown” is the biggest cyber threat businesses will face
When protecting against known elements, such as WannaCry or other pre-existing threats, organizations have a clear picture of what the enemy looks like and can thereby adopt successful defensive techniques against such known threats. However, the biggest threats today are the ones we won’t know about until tomorrow (or even later), which is why a proactive, hacker-minded approach is integral to catching these issues before they’re found and exploited in the wild.
The next big breach is already happening now, and we’ll only learn about it months down the road. From what we continue to see with leaks and breaches, it’s often the exposed but unknown attack surface is that’s much more likely to sink an organization than breaks in their core apps or architecture (an exposed file, key, server, that nobody knew about or thought was a risk). And while one fundamentally can’t expect the unexpected, organizations can take steps to ensure there are fewer unknowns. In doing so, reduce their available footprint for being surprised, as well as get ahead of potential back doors to the organization.
IoT device testing will get easier, but it may not feel any more secure
As with any technology as it gains more growth and traction in the market, it’s also simultaneously going to become easier to test through the proliferation and creation of tooling and other resources that will enable hackers to find issues more quickly. Over the next few years, I’d expect there to be an increase in findings and news stories around IoT security and their associated vulnerabilities as more and more hackers get involved with testing these technologies. And in turn, during this same time period, organizations will have to start taking notice and treating security as a priority if they want to win the business of consumers, which will ideally lead to building more secure devices.
The important caveat to all of this is that IoT in the future won’t resemble the IoT we know and are using right now — it’ll expand in ways we may not even be imagining at present. Ultimately, whatever route it takes, it’ll integrate even more tightly with our lives (think, for example, VR, AR, wearables, clothing, or even implants). So, while individual segments of IoT may start to become more secure over time, there will always be another frontier where the speed to market takes precedence over security, which will inevitably result in vulnerabilities… and the cycle continues.
Crowdsourced security will have a greater presence in the public consciousness and surface new talent
We’re going to see crowdsourced security expand as an integral part of any healthy security program, and with it a greater presence in the public consciousness. The idea of “crowd fear” will also simultaneously continue to decrease as organizations recognize the irreplaceable value provided by the approach.
In line with crowdsourced security going more mainstream, this awareness is also going to attract new talents. We’re going to witness more security professionals becoming bug hunters on the side, which will bring a wider range of skill sets into the pool of candidates, further empowering and enabling crowdsourced security to be even more effective and ubiquitous.
There will also be significantly more creative ways to leverage the Crowd at large — where there’s opportunity, the Crowd will step up to fill that space. It becomes only a matter of connecting the dots. Many of the technologies we’ll be testing in the future likely haven’t been invented yet, just as mobile apps weren’t heavily in the public consciousness until 2007. There will always be a need for security testing, and you can be sure the Crowd will be ready to help.
The number of vulnerability submissions and payouts will continue to increase
As the acceptance and utilization of crowdsourced security becomes more popular and more researchers join the community, the number of submissions will organically continue to increase alongside. The number of submissions against a given target may decrease over time as it remediates and learns from its past issues, but proactive organizations will simultaneously realize that’s not their only attack surface. As new code continues to be deployed at rapid scale, new assets to be secured will be created daily, which means new bugs to find.
That said, it’s fair to say that severity will stay roughly the same based on historical data: we’ll see more P4s than P3s, more P3s than P2s, and so on. This ratio will hold for the foreseeable future. And while the ratios may not be expected to change, we do anticipate payouts increasing, both in total dollars awarded and the average reward per submission. As more programs reach maturity, they’ll naturally drive up the market rate for participation, which will ripple through the entire bug-hunting economy. Just as researchers compete for finding bugs, organizations will have to implicitly compete for researcher attention through creative and enticing reward structures and models.
If one thing’s for certain in 2020 and the decade to come: there will be bugs, lots of them. But there will also be a lot of organizations that don’t get breached; that find the vulnerabilities and patch them before they’re ever found or exploited in the wild. Sadly, those make for pretty boring storylines — “company patches bug before anyone found it, no data was stolen.” And while it may never get printed, that’s a storyline worth hoping for in 2020. The one where proactive security helps secure just a little more of the internet, making it a more secure place today than it was yesterday.