Virtualization Technology News and Information
Semmle 2019 Predictions: Improving Security at a Developer and Enterprise Level

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual series exclusive.

Contributed by Pavel Avgustinov, Co-founder and Vice President of Platform Engineering and Albert Ziegler, Data Scientist, Semmle

Improving Security at a Developer and Enterprise Level

Software security is a shared responsibility - the more eyes on code, the higher quality and more secure it will be. In 2019, security professionals and developers will need to work together as one community to build better, more secure code. Two executives from Semmle shared their predictions with us on how security will continue to impact the developer community, from patching vulnerabilities at faster rates to embracing open source.

Pavel Avgustinov, Co-founder and Vice President of Platform Engineering, Semmle

1.  Emergence of product security responsibilities. Software vendors today acknowledge the risk introduced by products -- each program and application introduces a new attack surface to exploit. This will lead companies to apply greater diligence to product security. Within the next year, I believe product security will become more prevalent within job functions. We'll see this happen by industry. True high-tech players are leading the way, and will be quickly followed by high-risk sectors -- financial services, automotive and aerospace companies. We'll likely see product security responsibilities given to senior developers at companies with smaller teams, or where there isn't budget to create a new job for the purpose.
2.  In 2019, software vendors will be faster to patch vulnerabilities. 2018 showed us that software and hardware companies alike were not immune to vulnerabilities. As a result, the narrative around the process of vulnerability disclosure has evolved. The responsible disclosure rule, or the allowance of 90 days from time of disclosure to issuing a patch, has been a guiding light for many and will continue as the norm. Due to the significance vendors place on vulnerability discovery -- whether through bug bounty programs, variant analysis, or pentesting -- I expect the average time from discovery to patch, and hence disclosure, to shorten from 90 days to 30 or less.
3.  More of the world's largest companies are embracing open source for security - but widespread adoption will take time. Open sourcing software continues to gain traction, not least for its security benefits. Increasingly, companies are experiencing the benefits of more secure code, which comes with getting as many eyes on their code as possible. A number of industries recently adopted innovative security solutions outside of the tech universe -- companies like Comcast and Bloomberg for example, which recently open sourced their C++ frameworks. Even though this traction will continue in 2019, it's unlikely that the mindset shift will take hold in the next 12 months. I expect this to take another few years for the industry at large to adopt open source security.
4.  A dialogue around information sharing and security as a shared responsibility will emerge in the security community. If you look closely at recent security bulletins from leading companies, you'll notice the volume of instructional information being shared. For example, Google's infosecurity blog posts are geared toward teaching readers how vulnerabilities were found and best practices for patching. This is happening in part due to the discrepancy in growth between developer and security teams. The number of software developers is growing rapidly, but the number of security professionals is not. To keep up with the rapid pace of software development, the best security teams share their tricks, tools and practices to help the greater community improve.

In 2019, a dialogue will emerge in the security community around information sharing. In fact, sharing information around vulnerabilities and patches will be critical for security teams to keep up with the growth of developers -- it will be critical that there is a community of people working together to create methods and tools and standards to keep software secure.

Albert Ziegler, Data Scientist, Semmle

1.  Code quality will be tied to security, and open source will be a driver. Developers have long realized that open source logically can make code more secure, simply because more people are analyzing the code. Some of the world's largest conglomerates rely on open source for security. For example, Microsoft's acquisition of GitHub this year portended its status as the world's largest contributor to open source projects on GitHub, a strong indicator that the world's most influential companies value code quality. This critical mass will take hold in 2019, and more companies will embrace open source to improve quality of their code.
2.  Developer awareness of security will rise. I recently conducted a study examining instances of developers mentions of code security on open source code development platforms and found that developer awareness about security and vulnerabilities is exploding. The number of mentions of the terms has significantly increased and maintained volume, demonstrating a growing awareness of software risks. While focus on security is increasing from developers, that doesn't mean security is assured - in fact, results from the open source code development and automatic code review platform confirm that new vulnerabilities are still introduced at a higher rate than old vulnerabilities are fixed. Humans are fallible and perfect code is impossible, while remote attacks on software will continue. In 2019, we'll see an extension of data from the survey, and greater developer awareness of cybersecurity within the code development cycle.


About the Authors


Pavel Avgustinov is co-founder and VP of platform engineering at Semmle, and has been coding since his father first taught him at age four. He now has experience in a wide range of programming languages and technologies. Pavel was first introduced to Semmle by his doctorate supervisor at the University of Oxford, Semmle CEO Oege de Moor. His recent work has focused on lattice theory, query optimisation and evaluation for high-performance relational databases, and analysis of large amounts of structured data. He also has extensive experience in compiler construction and software quality monitoring. Pavel completed both his doctorate and undergraduate degrees at the University of Oxford.


Albert Ziegler is a data scientist at Semmle, where he performs data driven research into the process and the results of collaborative software development. After his PhD in Pure Mathematics, Albert has worked both as a software developer and as a data scientist, and finally as a data scientist researching software development. His interests are the drivers behind differences in code quality and software productivity. He's also a contributor to the blog.

Published Thursday, January 31, 2019 7:19 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2019>