Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Ivan Novikov, CEO of Wallarm
The Evolution of Cyber Defenses, Attacks and Vulnerabilities
Reflecting back on 2018, we saw a string of major breaches occur
that affected billions of consumers and cost major corporations financial and
reputational harm. We also saw the topic of data privacy take center stage
across government and business organizations, in part, resulting from the
enforcement of GDPR in Europe and the development of similar legislation in the
US. Additionally, the rise of promising technology such as AI and blockchain
continued to impact developments in the cybersecurity industry. In 2019, we can
expect to see the evolution of cyber defenses, attack methods and new
vulnerabilities for hackers to exploit. Here are a few thoughts on what I
expect to see in 2019 and beyond:
Envoy Proxy will result in increased security issues driven by misconfigurations
Envoy recently graduated from the Cloud Native Computing
Foundation, making it the third project to do so. Envoy Proxy is a good project
and its growing popularity is well deserved. It is pretty robust from a
security perspective because of its good architecture, C++ implementation and
lack of legacy code base. At the same time, it is a new project and DevOps
folks are much less familiar with it than, for example, NGINX. As a result, we
are likely to see a higher number of security issues driven by misunderstanding
or misconfiguration, such as misconfigurations making the platform vulnerable
to sophisticated SSRF exploitations.
Fuzzing will become mainstream from the attack and defense
perspectives
The term ‘fuzzing', which means trying various inputs for
applications to try to cause an exception there, first entered the security
fray back in 1988. 2019 will be something of a milestone in its maturity. As it
turns 21, fuzzing as both a defensive measure as well as an attack method, will
become much more mainstream. Fuzzing will be used to automatically generate
hundreds of security tests to deliver tangible agility and security benefits
across the three primary areas of concern for CISOs without requiring
developers to become overnight security experts:
- Vulnerability detection -
dynamically and constantly assess threats, bugs, and configuration errors
to mitigate threats and ensure regulatory compliance
- Digital transformation - inform
protocols and close any open holes caused by errors resulting from
changing configurations during cloud migration
- Continuous operations - continuous
testing to identify anomalies and other unexpected behaviors at the
application layer to mitigate against undiscovered threats
AI will continue to be refined and implemented by both
organizations and criminals
High-profile breaches this past year have thrust the application
layer under the security spotlight - as applications become increasingly
sophisticated their development also opens up increased vulnerabilities. While
DevOps is racing to keep up with accelerated application development, it is
becoming increasingly impossible to keep up with, much less anticipate, threats
manually. Machine learning and AI will continue to be used to mitigate
vulnerabilities much more efficiently and with more accurate results.
Serialization based attacks and vulnerabilities in application
frameworks will grow
While incredibly efficient, serialization will also serve as an
open door for would-be hackers when not properly and continuously monitored.
Whether embedding malicious code within a serialized object or exploiting
unsafe code already on the server, what can be a help in most cases can deliver
paralyzing hurdles in other circumstances. Other than refusing serialized
objects from untrusted sources, CISOs will employ integrity controls such as
digital signatures and invest in proactive monitoring and recording of
deserialization exceptions, failures and connection to ensure that no malicious
code comes in, and those pre-existing vulnerabilities are not exploited.
API gateways and frameworks misconfiguration issues will arise
As a result of new sophisticated development platforms and
frameworks that have simplified coding, the threshold to become a developer has
become much more attainable. While simplified on the outside, the modern
frameworks and platforms remain complex on the inside, essentially making them
time bombs. In other words, as developers start to use these frameworks without
a deep technical understanding of how they work, organizations can expect to
see issues resulting from misconfigurations.
Use of automation to compensate for the shortage of cybersecurity
pros
The robots are coming! Headlines emphasize that AI and automation
are coming for our jobs yet, while the global AI security market is projected
to reach $34.8 billion by 2025, this is to compensate for a lack of IT security
professionals rather than stealing roles that already exist. The fact is that
AI is better suited to tasks such as intrusion detection, risk and
vulnerability assessment, and continuous testing. As threats and hacking
techniques continue to proliferate, it will become impossible to keep pace
without AI and machine learning. The AI security market is in a state of flux
at the moment, and we're seeing a slew of significant investments and market
consolidation. We think this will increase competition and fuel innovation -
all of which means AI will become better and quicker at identifying and
mitigating against risks than lower to mid-level security analysts. This can be
an opportunity for those currently configuring tools to move instead to
monitoring or quality control positions.
##
About the Author
Ivan Novikov is CEO and
co-founder of AI powered application security company Wallarm. He's a white-hat hacker
that specializes in testing methods to improve the security of information
systems. Ivan has won several bug bounty awards from companies including
Google, Facebook, Nokia, Honeywell and others, and frequently speaks at
security events including Black Hat, Hack in the Box, SINET Innovation Summit,
AI Summit and others. He is known for being an inventor of memcached injection
and for his work in Server Side Request Forgery (SSRF).