Industry executives and experts share their predictions for 2024.  Read them in this 16th annual VMblog.com series exclusive.

Faster Software Development, Better Team Collaboration and AI

By Dan Hopkins, VP of Engineering at StackHawk

In 2023, from the cybersecurity vendor perspective, strong M&A activity and company consolidation continued, despite uncertain economic headwinds. Many of the larger security companies continued to acquire smaller vendors to help plug gaps in their technology offering and/or to expand it. While M&A activity has slowed due to increases in scrutiny by regulatory bodies, this year, we witnessed many private acquisitions in the security market to bring companies together.

There was one market in particular, the Application Security Posture Management (ASPM) industry segment, which carried strong momentum this year. Large industry players, including Snyk, acquired companies with robust ASPM capabilities to integrate into their solution suite and product portfolio. These moves demonstrate the growing importance of application security as application and software development life cycles continue to shorten. 

This year, almost every organization was also forced to do more with less when it came to security. With many implementing hiring freezes in response to difficult economic circumstances, organizations started to focus their efforts on addressing their most critical vulnerabilities and threats first. CISOs and security teams reevaluated their set of solutions throughout the course of the last year and many began removing legacy tools and solutions which no longer served a strong purpose in a bid to cut costs.

Looking forward to 2024, there is no doubt that cybersecurity, specifically application security, will remain a critical C-level priority. Let's explore some of the top trends that organizations can expect to see emerge and continue in the new year. 

Legacy solutions will become obsolete

Faced with difficult economic headwinds, organizations and their security teams will continue to reevaluate their set of security solutions and remove legacy tools from their tech stack to reduce spend. More expensive, low performing tools that have been limping along over the past decade will continue getting kicked out of organizations' security solution roster in 2024. This particularly relates to many of the legacy tools built in the early 2000s and during Web 1.0. If you are buying security tooling in 2024, make sure it supports your understanding of how your systems work and helps you discover everything which exists within your environment.

Faster development life cycles will continue

In 2024, the march towards faster development lifecycles to keep pace with demand will continue. As developers and organizations push new applications into production faster, organizations must ensure that security practices happen in real time in the CI/CD pipeline as software engineers are developing source code. In the new year, organizations must also devise and implement strategies that facilitate connection between runtime and testing. Currently, the way that we protect our systems is very disconnected from the way that we test and prevent vulnerabilities from getting out the door. There needs to be more cross talk between the two.

Engineering and security teams must be more collaborative

A trend expected to continue in 2024 is more need and willingness for collaboration between security and engineering teams. Time and time again, many security risks and vulnerabilities can be traced back to security teams being unaware of what engineering teams are doing and which applications are being created and deployed. Most organizations still haven't built a cultural connection between these two important teams. Over the next 12 months, it is pivotal that organizations place more onus on forming collaborative relationships with software engineering and security teams. The two teams must not be viewed as separate but rather one group working cohesively. Better partnerships will ensure security teams are aware what applications and code exists within their environment and will also lead to security practices being better understood by those creating the software. To facilitate this bond, organizations must ensure that any security solutions purchased helps the software engineering and the security teams work in parallel.

As engineers are accustomed to working with solutions that have easy to use, efficient and well-appointed user interfaces (UIs), as they become more involved in the security process, they require the same level of efficiency within security tooling.

Basic application security hygiene remains key

As we witnessed in 2023, the areas where organizations and their applications continue to be exploited remain largely the same. It is very telling that the OWASP Top 10, which outlines the most imminent risks pertaining to application security, has not changed significantly over the past several years. Basic vulnerabilities, particularly those found within APIs, widely persist and are causing astronomical risk. Organizations need to raise the minimum bar that they are working at when it comes to their AppSec posture. That starts with developing a more comprehensive understanding of their infrastructure and what exists within it. Organizations need to get started with basic discovery to understand their attack surface. Once that is achieved, they can then begin to bring in the basic security practices to fill any identified gaps.

Big opportunities with AI and LLM but approach with caution

Artificial intelligence (AI) and large language models (LLM) dominated the industry conversation in 2023. And rightfully so. Many remain excited about the significant enhancements to productivity they may bring, a huge win for organizations struggling with limited resources during these tumultuous economic times. But it's important that we approach these new technologies with caution. While they have the potential to augment business operations, attackers will also be leveraging these tools to execute attacks on organizations and their employees. It is possible that we'll see a rise in attacks on humans in the new year, particular phishing scams.

##

ABOUT THE AUTHOR

Dan Hopkins is VP of Engineering at StackHawk. He has been a software engineer for 20 years, working at high growth startups such as VictorOps and LivingSocial and at large high-tech companies such as Splunk. For the last 10 years, he has focused on building tools for progressive engineering teams adopting DevOps and DevSecOps practices.