Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Digital Transformation Sparks the Evolution of Software Security
By Erez Yalon, Director of Research,
Checkmarx
In 2020, the world experienced a rapid and
widespread digital shift as the workforce moved from the office to home.
Naturally, organizations shifted to cloud-based technologies to support
operations and productivity. Although convenient, it has presented a
significant layer of complexity for software security. Additionally, all of our
IoT devices that connect to the cloud now serve as new entry points for
malicious actors, especially older, outdated models with unpatched software.
As we look to next year, we'll see an
evolution of software security to support cloud native environments, especially
as it relates to API authentication and authorization processes. IoT device
security, although becoming more regulated, will also continue to be vulnerable
to attacks and privacy issues. Let's explore further.
1. Cloud native
security will take center stage
API has been the buzzword when it
comes to modern software development and security. But if 2020 was the
year of the API, 2021 will be the year where cloud native security steals
the spotlight. APIs play a major role in cloud native security, but the
focus will turn to how cloud-based technologies continue to proliferate
and increase in adoption across organizations. Securing the resulting
ecosystems of interconnected cloud-based solutions must become a priority.
In its current state, widespread understanding of cloud native security
is still in its infancy. APIs, containers, and orchestration tools are now
commonplace in software development, and organizations have been working hard
to increase the connectivity between the different tools they have employed to
boost efficiency and productivity. But at each point of connection there is
risk of a vulnerability that could lead to a breach. In 2021, we will see
organizations come to grips with this reality of software complexity and take
steps toward protecting themselves.
2. Vulnerable APIs
will be most responsible for software and application-related breaches
While awareness around API
security has improved over the past few years, we can still predict that
APIs will remain a top, if not the top, attack vector for adversaries in
2021. While APIs have become a convenient way for developers to build and
run more complex web applications, issues like access control pose a
challenge to developers as accounting for and eliminating these
vulnerabilities is still a difficult task with few easy solutions.
As malicious actors continue to ramp up their API-targeted attacks and
organizations play catch-up in their understanding of how these programs can be
exploited, adversaries will capitalize on this gap in the near-term forcing developers
to quickly identify ways to better secure API authentication and authorization
processes.
3. Some progress
on IoT security, but still ground to cover
We still have a lot of ground to
cover with IoT security come 2021. The industry has taken steps in the
right direction, such as the U.S. government passing
a bill on IoT security for agencies, but the issue continues to reside in the
lack of action on the part of consumers and manufacturers. Until consumers
put real pressure on their governments and manufacturers for improved
security in IoT devices, or manufacturers take greater responsibility for
security IoT products, security will be a continuing cause for concern.
4. Legacy IoT
devices will render consumers particularly vulnerable
One other area I'll be paying
close attention to in 2021 is older models of IoT devices still being
deployed and active in corporate and personal environments. Over the past
few years in particular, we've seen an explosion in connected devices, so
much so that our lives are inundated with them. We've grown accustomed to
having IoT devices operate in the background without thinking twice about
replacing, upgrading, or scrapping them altogether.
As these gadgets grow older but remain in use, many manufacturers have
stopped supporting them with software updates and patches as they prioritize
newer models, making them prime targets for malicious actors looking for easy
access points. As time moves on, vulnerabilities in these now outdated products
will be discovered and exploited. Like the saying goes, eventually "everything
old becomes new again," which rings especially true for hackers.
##
About
the Author
Erez
Yalon heads the security research group at Checkmarx. With vast defender and
attacker experience and as an independent security researcher, he brings
invaluable knowledge and skills to the table. Erez is responsible for
maintaining Checkmarx's top notch vulnerability detection technology where his
previous development experience with a variety of coding languages comes into
play.