Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
Secure Code: A driver for positive change in the industry
By Joe Ferrara, CEO, Security Journey
2023 was a tough year for the cyber
security industry, with just the first nine months of the year showing a 20%
increase in data breaches compared to all of 2022. As we enter a new year,
this threat landscape is expected to become even more menacing with cyber
criminals turning to new techniques including AI. Overall cyber threats are set
to cost businesses $10.5
trillion globally by the end of 2025. Organizations must prioritize cyber
resilience in their 2024 planning. With 28,092 new CVEs published in
2023, an increase of over 15% compared to the previous year, this planning
should include a focus on software security, both in terms of internally
developed code and third-party software vendors.
To form resilience, organizations must
increase awareness and take a continuous approach to education. All enterprises
should be aware of the importance of secure code and more importantly, how to
adopt better security principles, and it is up to the security industry to
communicate the implications of insecure software on overall security posture. Without
this, organizations are missing out on basic cyber hygiene that drastically
increases their risk exposure.
Organizations need to be better at core
security principles
As long as companies prioritize security
below speed to market, we will likely continue to see cyber criminals reusing
old tactics to exploit persistent vulnerabilities. The oversight of basic
security measures in most businesses gives threat actors the perfect
opportunity to strike over and over again using the same attack methods.
Although we may see some more sophisticated attacks emerge from more advanced
criminal groups, many will continue attacking businesses at their weakest
points with rather simple methods. This highlights the importance of developing
a better understanding of security essentials such as threat modelling, secure
design, secure coding, and patch management, to protect against a wider range
of threats.
A human touch will remain essential
While AI has clear benefits in the software
development lifecycle, it also presents risks. Forrester
has predicted that 2024 will see multiple public breaches attributed to insecure
AI generated code. This brings to light the critical importance of maintaining
a human aspect in software development. The problem with AI generated code is
that it can be based on open-source, unknown, or insecure code, and although AI
will continue to grow more sophisticated with time, it will always be reliant
on the information it is trained on. Recently, a presidential executive order
laid out plans to focus on building more secure AI
systems through red-team testing. To ensure high
quality AI output, however, these must be combined with an emphasis on
oversight by well-trained human developers and thorough code reviews, treating
the generated code as a starting point.
The ongoing fallout of the MoveIT
breach will echo through 2024, leading to a focus on secure code,
particularly from code generating services. Responsibility will be placed in
the hands of AI developers to train the systems with tested, high-quality code,
and on business leaders to invest in secure coding training programs that
empower the whole SLDC with the skills to detect code vulnerabilities and follow
best practices. By bringing in targeted, role-based training for their software
development teams, organizations will be building a solid foundation on their
path towards cyber resilience.
The road to secure code regulations
2023 saw a continued push towards an ethos
of 'secure by design' in regulation, framework, and guidance, but without
specificity on how to achieve it. Overarching secure coding mandates are hard
to implement due to different industries having a wide variation in application
priorities, sensitivities, value to cyber criminals, and times to market. This
means that more general guidance often fails to meet the needs of any
particular situation and often companies take the easiest or fastest route to
avoid losing development time. New CVEs are discovered all the time, but the
reputational and financial impacts of this alone don't seem to be enough to
convince software vendors to change their approach. In 2024, if the industry
wants to see real change, this will have to come from more proactive leadership
and not just "checking the box".
This year, the PCI, or Payment Card
Industry PCI DSS 4.0 regulation demands more stringent secure coding practices
from its vendors. The inclusion of this in requirement 6.2 of the regulation is
a striking example of the PCI Council pushing for real change to invest in including
security into their products from the start. In 2024, competitive pressures and
customer contractual obligations will have the most impact in bringing more
secure software to the market while the regulatory changes take time for real
adoption.
Security vendors must remain vigilant
2024 will likely see an increase in attacks
on security vendors, similar to what we have already seen with SolarWinds and
Okta. Given the very nature of what they do, they are particularly lucrative
targets for threat actors as they usually store large amount of sensitive data themselves
and have special access to their clients' systems, so criminals will be looking
to exploit them as a way to access larger corporations and gain higher rewards.
Often the way in is through software vulnerabilities,
and so it is essential that all security software vendors take proactive and
robust measures in better securing their own code to avoid becoming a threat
vector themselves. Development teams should undertake continuous secure coding
education to ensure that the applications and APIs used are up to a high
security standard, reducing the risk of exploitation. As we go into 2024, we
will see that the vendors maintaining a competitive edge will be those that are
holding themselves to a higher security standard than the rest.
##
ABOUT THE AUTHOR
Passionate
about driving growth in technology companies, Joe has a track record for
building market-leading businesses in cybersecurity and telecommunications at
Wombat Security, Ericsson, Marconi, and Tollgrade.
He also currently serves as a Board Member of
seed investor Innovation Works and most recently served as Senior Vice
President and General Manager of Proofpoint's Security Awareness Division.