Our experts share their 2019 software security predictions about AI/machine learning, design and standards, cloud adoption, and IoT, routers, and data in transit.
It’s that time of year when everyone in cyber security tries to guess what’ll happen next year. There’s the obvious, of course: More data breaches. More consumer apathy, followed by more consumer outrage. More vociferous condemnation by lawmakers in some countries, and more penalties imposed by regulatory bodies in others. But what else should we know about the next 12 months? Here are a handful of 2019 software security predictions from our experts.
While capabilities and technologies advance, they also create disproportionately more information and data points. It is easy to drown in this sea of information and lose sight of the essentials. … The challenge is to find the needle in the haystack on one end of the spectrum and to combine data from different methods and domains to obtain a holistic view on the other end of the spectrum. For 2019 we don’t need more data; we need better decision-making support. Ralf Huuck, senior technologist, Synopsys
Many people will learn that artificial intelligence (AI) and machine learning (ML) are already all around them, often making decisions that affect their lives, their families, their health, their jobs, and so on. Sammy Migues, principal scientist, Synopsys
Machine learning will continue to work pretty well but will suffer the occasional ridiculous failure as the underlying statistical nature of many learning algorithms becomes clear. A number of risks surrounding representation, sensor tampering, state manipulation, priming, and catastrophic forgetting will come (back) to light. Associated security issues will be fun to explore. Gary McGraw, vice president of security technology, Synopsys
A significant aspect of cyber security is data correlation and analytics. The ability to find individual threats, threat campaigns, and perform threat actor attribution based on multiple disparate sources of data (i.e., finding needles in haystacks) is a large part of the game. ML/AI provides the ability to increase the speed, scale, and accuracy of this process through data modeling and pattern recognition. … [But] the reality of the situation appears to be that more time and investment will be required to hone the data models and patterns to make ML/AI a highly effective technology in software security and cyber security. Mark Zurich, senior director of technology, Synopsys
Software is still largely written without formal standards and processes behind it. Unlikely building bridges, software development is not a standardized, repeatable job. Open source has been on the rise for a long time and is now commonplace. One can imagine that actually more trust will be placed in common building blocks based around open source software. Moreover, vertical software development standards will appear more strongly. As evident for safety-critical systems such as cars and aircraft, when lives depend on correct software execution, more effort will be placed on standards, auditability, and accountability. These standards might be evolving bottom-up or will be government-regulated. Potential new verticals on the rise for this are financial services, solutions around blockchain, and security around mobility solutions. Ralf Huuck, senior technologist at Synopsys
We’ve been automating security analysis at the code level and pen testing at the application level for over a decade, and that automation is perfectly suited for DevOps. The same cannot be said for design analysis (also called threat modeling). The lack of automation for architectural risk analysis will mean that in many cases it is conveniently left out (oops, we’ll just sweep that under the rug). This is becoming a more tangible problem as DevOps adoption progresses. … Software design flaws will be on the rise as targets of attack. Witness the recent Facebook (and Google+) attacks that led to massive data loss impact. Design flaws are much harder to find and fix than simple bugs. As a result, even very strong software security groups sometimes miss them during review. Gary McGraw, vice president of security technology at Synopsys
In 2019, we’ll continue to see a movement to the cloud. With growing economies, organizations are seeing more disruptive new companies coming into the market. This is forcing organizations to reinvent themselves. Digitalization initiatives are ongoing, and new cloud environments are changing the way firms deploy apps. This will keep organizations on their toes in terms of application security. In the year to come, I predict that there will be more cloud investments regarding application security initiatives. With this, we will see a growing need for training staff on application security. Olli Jarva, managing consultant, Synopsys
The “inventory” problem (that is, what is running where, who made it, what its constituent parts are) is exacerbated by the move to the cloud and massively distributed architectures. See this article about why that was a problem before. The bad news is, things are going the wrong direction. Gary McGraw, vice president of security technology, Synopsys
IoT attacks will remain an issue in the year to come. In APAC, many countries are moving forward with smart city and smart nation initiatives. This opens the opportunities for a new wave of IoT cyber attacks. Attacks could be approached from a data-poisoning perspective in which faulty information is intended to influence organizational decision-making through the sensors deployed within the target city or nationwide. We’ll also see the same old issues persist: hard-coded credentials and unpatched components, not very well designed OTA updates, and continuous update policies. Olli Jarva, managing consultant, Synopsys
When it comes to security, devices, gadgets, and consumer electronics are NOT secure by default. If your gizmo maker does not mention security, do not assume that the thing you bought is secure. IoT remains a security disaster waiting to happen. One of the main problems is that there is no way to update the (broken) software and hardware running inside of IoT devices when new security problems are discovered. IoT needs to be secure by design and secure by implementation. Firewalls on the network will not fix this problem. Gary McGraw, vice president of security technology, Synopsys