Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
Security, developers and the road ahead in 2024
By Pieter
Danhieux, Secure Code Warrior Co-Founder & CEO
We've hit that time of the year. The time to
reflect on everything that's happened, what we thought would happen and didn't,
lessons learned and what we expect will shape the decisions, actions and
outcomes over the next 12 months.
Challenging economic dynamics, emerging
cybersecurity threats, and society's most accessible introduction to AI to
date, shaped what was an interesting 2023 for DevSecOps. Even more curious -
none of these elements are in the rearview mirror as we turn the page and head
into 2024. They are front and center for organizations, their developer and
cybersecurity teams, and government regulators.
As priorities shift at a rapid pace, here are
the top predictions Secure Code Warrior sees unfolding in the next 12 months:
Organizations will place a premium on developer retention
Developers
deliver immense value to organizations and their customers. Now it's on the
organizations to demonstrate their value and appreciate what the developer can
do for their bottom line. More investment will be made in retention strategies,
programs and other efforts to ensure developers are more empowered to make
their current employer their long-term career destination. Learning and
development will be a huge differentiator for these enterprises.
More asks of developers will put content and integrations at
centerstage
The pressures placed on developers will not
let up anytime soon, knowing organizations want more software, and continuous
digital transformation to get into the hands of their customers sooner. For
developers to stay sharp, anticipate emerging roadblocks in software
development life cycles (SDLC) and have access to more resources to accelerate
innovation - more learning content and third-party integrations will be of
paramount importance.
AI tooling is the new Stack Overflow
The same way developers go to Stack Overflow
or open source forums to seek help, developers will start turning to AI tools.
However, this creates a false sense of security. Developers will use AI as a
"help channel," but organizations will realize that this approach is not
enough.
AI remediation is here to stay
AI is not replacing the developer tomorrow,
but the technology is becoming more embedded in the software development life
cycle (SDLC), creating a more foolproof process to avoid introducing
vulnerabilities, or to identify a compatible fix. We're bound to see more
experimentation throughout the year that will inevitably bring about a change
in developer behavior, organizational investment, staffing re-allocation and
new approaches to cybersecurity risk management.
AI reliance + API explosive growth = regulatory measures
The number of companies fueling their
businesses through the accelerated creation and enablement of APIs has
significantly expanded the API threat vector. With the propensity of AI usage
to exponentially increase the speed at which APIs are created and launched,
greater governance for API security will need to be a focus - and new
regulatory measures are sure to be introduced.
More consequences for software vendors who don't ship secure code
CISA Director Jen Easterly has made it
abundantly clear that software vendors should not be permitted to "pass the buck" when it comes to security
within their products. While CISA's powers only extend so far - helping to
enforce Secure-by-Design practices to vendors that sell to federal agencies -
The MOVEit incident earlier this year reaffirmed that large software vendors
need to hit and exceed a new benchmark. There needs to be more accountability
and more consequences to enforce for repeat offenders who ship insecure code.
2024's OWASP Top 10 will show a renewed focus on design flaws
Speaking of Secure-by-Design, In 2021, OWASP
introduced the "Insecure Design" category, focusing on the shift towards architectural
security issues and flaws. As we anticipate their upcoming Top 10 list (most
likely in 2024), there will be greater, executive-level conversation around the
difference between insecure design and insecure implementation, with an
emphasis on teams developing a secure software development life cycle (SSDLC),
including a complete threat modeling procedure that supports critical authentication
and access control configuration.
DevSecOps vendors will need to prove specific ROI to target different
executive buyers
In
order to sell to multiple groups in a competitive sales cycle, vendors will
need to tailor conversations to different areas of the business. Traditionally,
security vendors primarily sell to CISOs or security leadership. In 2024, there
will be a greater need for the ability to prove risk reduction in increasingly
specific contexts for executives across L&D and DevOps/AppSec - in addition
to Security/CISOs.
"Gatekeeping" will be the ticket to security maturity in software
development
CISOs remain under scrutiny to prove the
business value of cybersecurity efforts, as well as the effectiveness of their
program over time. Developers will increasingly need to prove they are
security-aware before being given projects with sensitive repositories. CISOs
who adopt a "gatekeeping" standard and prioritize secure coding from the start
of the software creation process will better position their teams for security
excellence.
Reactive security will be seen as old school
As the goal of increased cyber resilience
continues to dominate cyber strategies across multiple verticals, those who
rely on reaction and incident response as the only core tenets of their plan
will find themselves in a place of unacceptable exposure and risk. "Shift left"
needs to be more than a rapidly aging buzzword; code-level security should be
prioritized, alongside upskilling and verifying the competence of the
developers working on the software and critical digital infrastructure we take
for granted. Now, more than ever, governments and enterprises alike must commit
themselves to a preventative, high-awareness security program in which every
member of staff is enabled to share responsibility.
As the leader in secure coding education and
implementation, we're excited for the year ahead and collaborating with our
600+ customers to get ahead of these evolving dynamics. What does your 2024
look like and how can Secure Code Warrior help?
Interested to learn more? Follow us on X and
LinkedIn to stay up-to-date on all announcements.
##
ABOUT THE AUTHOR
Pieter Danhieux is the CoFounder/CEO of
Secure Code Warrior, a global security company that makes software development
better and more secure. In 2016, he was No. 80 on the list of Coolest Tech
people in Australia (Business Insider) and awarded Cyber Security Professional
of the Year (AISA - Australian Information Security Association).
Pieter is also a Principal instructor for the SANS Institute teaching military,
government and private organisations offensive techniques on how to target and
assess organisations, systems and individuals for security weaknesses. He also
serves as an advisory board member of NVISO, a cyber security consulting
company in Europe. Before starting his own company, Pieter worked at Ernst
& Young and BAE Systems. He is also one of the Co-Founders of BruCON, one
of the most awesome hacking conferences on this planet.
He started his information security career early in life and obtained the
Certified Information Systems Security Professional (CISSP) certification as
one of the youngest persons ever in Belgium. On his way, he collected a whole
range of cyber security certificates (CISA, GCFA, GCIH, GPEN, GWAP) and is
currently one of the select few people worldwide to hold the top certification
GIAC Security Expert (GSE).