Experts share their 2021 software security predictions about DevSecOps adoption, the risks of social engineering and ransomware, cloud adoption, and more.
Anybody who made predictions a year ago about 2020 could be forgiven for feeling a bit like the TV weather forecaster who got a note from an angry viewer telling him, “I just shoveled six inches of ‘partly cloudy’ off my driveway.”
Because nobody—literally nobody—could have had a clue back in November 2019 that by March the nation would be in the grip of a pandemic that would upend every industry including IT, moving the bulk of the workforce out of offices and into their homes, expanding the attack surface in new and diverse ways, and canceling long-established live events like security conferences.
So yes, everybody missed a very big thing—the biggest thing of the year.
But that doesn’t mean everybody should swear off of predictions for 2021. Predictions are, after all, speculative by nature. They say what is likely, not guaranteed, to happen, which is still worthwhile. And fortunately, there are a number of courageous prognosticators who are still willing to lay out their speculations in public.
Chances are, most of them will be right because they’re good at spotting and evaluating trends, and most of them have enjoyed some career success because of their ability to plan ahead.
So, in no particular order, here is some very informed speculation about the year ahead on everything from the cloud to ransomware. And yes, some of that speculation is based on the reality that the coronavirus has changed the world, for the long term.
As profound of an impact as DevOps has had on application security programs and practices in the past few years, the acceleration of cloud adoption during this pandemic year is shifting the software security landscape even more dramatically.
While DevOps represents a clear evolution in the way that software is built, delivered, and operated, the architecture, composition, and very definition of applications are changing rapidly, leading to a rethink of software security approaches. These dual pressures of delivery velocity and cloud transformation will have a big impact on the software security market in the next one to two years.
To get ahead of this cloud transformation, software security will evolve again into a risk-based vulnerability management service that seeks to automate and orchestrate security services as part of the software build and delivery pipeline. We’ll see increased demand for API security, cloud application security, application security orchestration services, and consolidated risk-based vulnerability management approaches to software risk reduction.
Until this year, the cloud was still viewed as an option by most organizations. With COVID-19 and the overnight shift to working from home, it has become a mandate. This shift will create changes both in how security is focused and where attackers focus in 2021.
We’ll see a massive shift to cloud-native solutions in 2021. We’ll see increased adoption of secure access service edge (SASE); authentication and identity management; and host, data, and user-centric approaches to security. On-premises technologies will be upgraded or ripped out for cloud-native and containerized solutions. Infrastructure as a service and desktop as a service will enter a heyday.
Correspondingly, we’ll see attackers en masse set their sights on breaking container-based architectures such as Kubernetes, and very likely see the first major breach of such an environment. Vendors will be forced to adapt their technology to this new paradigm or risk going the way of antivirus.
In a connected world, espionage has increasingly become a digital endeavor. That will expand, FireEye predicts, beyond what it calls the Big Four (Russia, China, Iran, and North Korea) to include Vietnam and South Asia.
But information warfare now goes beyond espionage, to spreading disinformation. “While it used to be just Russia targeting the U.S., the number of parties involved is growing rapidly. Iran is now involved, and there are pro-China and pro-Cuba regional networks in Argentina,” Jamie Collier, cyber threat intelligence consultant at FireEye, told SecurityWeek.
“All this space is getting more complex—and a wider nexus of groups is trying to mimic legitimate media in their campaigns. We suspect that there are contractors, PR and marketing firms, and other nonstate actors now involved in these information operations.”
Disinformation and misinformation impact businesses and the public at large in myriad ways. For a business, false or misleading claims can have a major impact on their bottom line. At scale in the public, misinformation can tilt the tide of public opinion.
The good news is that at a smaller scale, cyber security and digital forensic teams have experience with this challenge.
So along with AI/ML platforms becoming easier to use, expect to see early applications of autonomous fact-checking technology appearing across various platforms next year. I expect to see applications for business systems, validating critical business process data, as well as the obvious consumer applications within social media platforms. Think secure supply chain approaches, but for information.
For the past several years, social engineering has been the primary attack vector used to breach organizations. Although we’ve seen organizations implement increasingly rigorous social engineering testing programs to increase awareness and lower the chances of a successful attack, humans will continue to be a popular target for cyber criminals.
Social networks will turn their attention to user authenticity. Goodbye, anonymous trolls. To curb abuse and rebuild trust, social media platforms will offer additional capabilities to verify their users. Like the blue checkmark on Twitter, online identities will become easily recognizable as genuine. Currently, this type of confirmation is a manual process reserved for high-profile accounts in the public interest. To automate verification and extend a badge of trust to more users, social media platforms will need to deploy strong, irrefutable authentication that a user is a real human being. Biometrics offer the effortless usability and accuracy of authentication that will be needed to do this at scale.
Cybercriminals are relying less on consumers’ personal information and more on their behaviors to commit identity-related crimes, making personal information less valuable and attractive to attackers. This could be a long-term trend.
Meanwhile, key U.S. government resources dedicated to financial and identity crime victims have been eliminated. We believe options for direct assistance will continue to decline in 2021.
Over the past year, we’ve seen organizations rapidly building applications using low-code/no-code platforms. Application security testing (AST) tools, particularly static application security testing (SAST) tools, work best when there’s code to scan. The way SAST tools work may require alterations to accommodate these platforms.
I also envision a change in how we build security into software. More and more AST tools will move toward providing the same experience as low-code/no-code platforms. By providing a few inputs to the tool, they will be able to generate all the integrations required to run the tool either on-prem or in the cloud seamlessly, just like low-code/no-code platforms.
So I predict truly building “Sec” into DevOps with low-code or no-code platforms.
Ransomware attacks show no sign of stopping, and the pandemic has only ramped this space up. Next year we can expect to see more of these incidents hitting the healthcare and R&D industries as hackers look for intellectual property and trade secrets related to COVID-19. All industries will be investing more in cyber security and insurance coverage as remote work continues on a mass scale.
Ransomware almost doubled, from $11.5B to $20B in damages in 2020, but the cyber security community predicted this increase. Similarly, ransomware will continue to play a major role in 2021 with the steady move to “access as a service” and access marketplaces where skilled attackers not willing to take the heat of monetizing their efforts will move to underground forums to sell off implants and credentials that will likely get flipped to ransomware deployments.
In 2020, a draft standard of ISO SAE 21434 Cybersecurity Engineering was released and WP.29 UN regulations on Cybersecurity and Software Updates were adopted. These standards and regulations put higher emphasis on cyber security for the automotive industry and will drastically affect auto manufacturers and suppliers especially in the next few years, both on technical and organizational levels.
As more software is used in automotive systems, it becomes even more important for automotive organizations to deploy automated solutions to help find and fix software vulnerabilities and weaknesses earlier in the software development.
The next evolution in security is a one-stop-shop platform. With expanded attack vectors due to remote working and no single software that substantially addresses all these new security needs, there will be an increase in demand for security platforms—not disjointed applications—to ensure top-notch security
Global robotic process automation (RPA) software revenue is projected to reach $1.89 billion in 2021, an increase of 19.5% from 2020. Despite economic pressures caused by the COVID-19 pandemic, the RPA market is still expected to grow at double-digit rates through 2024.
“The key driver for RPA projects is their ability to improve process quality, speed, and productivity, each of which is increasingly important as organizations try to meet the demands of cost-reduction during COVID-19,” said Fabrizio Biscotti, research vice president at Gartner.
With the shift to remote work brought about by COVID-19, enterprise “bring your own device / bring your own personal computer” (BYOD/BYOPC) programs have been making a huge comeback. But scaling them is proving to be cost-prohibitive for companies relying on traditional remote-access solutions like virtual desktop infrastructure and desktop as a service (DaaS). Endpoint security will have to evolve, so 2021 will bring greater investment in secure digital workspaces. Enterprises will look to extend their support for nonmanaged laptops, not just for contractors and third parties but for the entire workforce, and they will need to address manageability and privacy issues related to these programs.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.