It’s been another interesting year in security. Reflecting back, it’s clear that no one could have predicted everything that happened. And yet on the precipice of a new year we’ll all attempt to predict what will happen in the year to come.
It’s fun to read through the previous year’s predictions as the year draws to a close — to get a sense of how close we came to predicting the future. One thing that most predicted correctly was just how difficult it would be to understand attack surfaces. Given they are constantly changing, it’s not difficult to see why. Driven in large part by the proliferation of IoT devices and the move to the cloud, we are more vulnerable than ever. We’re also more secure. Take Arlo for example; see their proactive approach to security.
After years of discussion and hype, the integration of DevOps and security — DevSecOps really began to take hold this year. If you think about the last few years, security became a boardroom discussion with the role of CISO becoming standard in enterprise organizations — this year security became a discussion for dev teams, with security practices being implemented earlier in the cycle, offering not only a more holistic view of vulnerabilities but also a better process for fixing these vulnerabilities… faster.
CI / CD, or continuous integration / continuous delivery, which drives application development teams to deliver code changes more frequently and reliably only help this cause — making security a first-class citizen — which will be increasingly important as IoT devices in the cloud grow, increasing the attack surface further. Shouldn’t security postures be continuously evolving as well?
Broken business logic is a hugely vulnerable area. And as companies with mature security programs begin to clear out the low hanging fruit, we expect to see more business logic vulnerabilities discovered. Our customers are already seeing this occur and are closing potential security vulnerabilities created by hand-offs between cross-functional teams.
Check out how Atlassian is mitigating this risk with proactive security strategies like Bug Bashes.
While big data and AI will continue to be important, neither are a silver bullet when it comes to security. To identify the type of business logic issues, you need the type of creative thinking only humans can provide and platform that aggregates this input to provide actionable and contextual insights so that overloaded security professionals can prioritize the right actions.
Back in the boardroom, security will continue to be important. Companies now have a responsibility to report on security metrics. The ability to show that you’re not only “doing security” but you are also creating a feedback loop to improve security is changing from a nice-to-have to a need-to-have and shortly thereafter table stakes.
This is all in large part driven by consumer demand. Consumers are growing tired of receiving emails explaining their personal information – their credit cards, social security numbers, and even passport numbers — has been part of a breach and are starting to include security in their buying decisions. The new Moody’s security rating is a great example. This combined with new legislation and regulations are sure to have an impact on the number of disclosure programs we’ll see over the next year as security truly becomes a differentiator and marketing tool for B2C companies. The question then comes up in my mind, do we even understand the interconnected, continuously evolving app world with IoT and cloud being a multiplier, new use cases introducing varied points of points security weak points – do we really understand our attack surface and are we sufficiently securing it with the human creativity and intelligence required to protect ourselves?