Our 2022 software security predictions are in. The experts weigh in on the trends and how they’ll shape cybersecurity efforts in the new year.
To paraphrase the familiar yuletide song, in the world of IT this is “the most speculative time of the year.”
True, tying predictions to the regular calendar may be a bit out of sync for much of the business and government world—the federal fiscal year begins on Oct. 1, and here at Synopsys we say Happy First Quarter on Nov. 1. But we all still celebrate the new year on New Year’s Day.
Which means that this is the time of year when a parade of courageous experts dust off their crystal balls and flood tech websites with forecasts about the coming year.
Yes, courageous. Besides confidence, it takes courage to make predictions that could turn out to be dead wrong. Or that could miss the biggest story of a year. Which everybody did in 2019. Nobody—absolutely nobody—predicted that less than three months into 2020 life, health, work, and technology would be upended by a pandemic that continues two years later. That’s why we talk about 20/20 hindsight, not foresight. That’s why the late, great Yogi Berra declared that “predictions are hard, especially about the future.”
But predictions, while not infallible, are still worthwhile. Many do come true. And fortunately, there are still plenty of well-informed cybersecurity prognosticators who are willing to lay out their speculations in public.
We should all give thanks to them for that because chances are many of them will be correct. Most have achieved some career success for that reason—their ability to evaluate trends and plan ahead. That can help the industry in general and everybody involved in it individually.
So in no particular order, here’s some informed speculation about what we’ll be seeing, buying, selling, enjoying, and perhaps fighting in 2022.
Although increased scrutiny of our software security and technology supply chains will drive incremental improvements and ramp up security spending, it’s unlikely to keep pace with the exponential increase in malicious threats and insecure systems.
Software supply chain risk management will rapidly emerge as a crucial discipline and top-three investment area for CISOs, as they realize the extent to which they lack visibility into software and have underinvested in software security programs relative to the extent of the threat to the business.
Cyberattacks targeting security weaknesses in software supply chains and DevOps infrastructure will increase as hackers seek to insert back doors and malware into commercial software to infiltrate businesses and governments using software they think they can trust.
Cyberattacks targeting security weaknesses in software supply chains and DevOps infrastructure will increase, but we don’t have enough cybersecurity professionals to help organizations manage their risk. Using automation and machine learning is really the only way organizations can manage the delicate situation of increased risk and skill shortages.
With SaaS being the preferred architecture of enterprise of all sizes, we should expect other large supply chain attacks next year. It will be critical for enterprises to assess, test, and analyze their SaaS and other interconnected apps for security gaps to protect themselves.
The Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity, although issued in 2021, will start to impact many companies in 2022. This high-profile push to drive continuous security improvements throughout the technology supply chain will require suppliers to be cyber aware and will make cybersecurity a competitive imperative.
Companies that can’t demonstrate to the consuming public that their products and services are secure will quickly find themselves at a competitive disadvantage. In contrast, companies that can produce a comprehensive and reliable software Bill of Materials that identifies the software components in their products including, very importantly, their open source components, will increase customer confidence and enjoy a competitive advantage.
The 2021 Biden cybersecurity executive order will continue to have a ripple effect well into 2022. Due to the astonishing number of cyberattacks—notably ransomware—in the last couple of years, software is being developed in a more controlled environment. Therefore, we will see growing interest among companies to ensure that their software development follows not only tight release schedules, but also the minimum security requirements that can help lower the risk of a breach. We may also see changes in the software supply chain, including its management. The result may be stricter rules regarding software acceptance, along with calls for proof of a rigorous security/quality process.
I see an expansion of multilateral cooperation around cybersecurity. There have been two high-level meetings of U.S. government officials in Singapore where cybersecurity was discussed: Secretary of Defense Lloyd J. Austin III’s visit in July and Vice President Kamala Harris’s in August. A quick internet search of hacks or breaches in Asia Pacific brings up a common theme—the involvement of nation-state malicious actors. This is something that governments in the region are keen to get ahead of by cooperating to share information.
More people will demand to know what their software is made of. Whether it’s a nutrition label or Bill of Materials or similar, organizations will demand that vendors account for all software in apps and devices, where it came from, how it was built and tested, and how it’s being maintained. In a few years, selling opaque software will be the exception rather than the rule.
Traditionally, AppSec has been seen as an arbitrary hurdle placed in the way of business progress. We’re passing a tipping point where organizations are realizing that AppSec is a business enabler, inseparable from how we build, deploy, and run software.
For organizations that build software, 2022 will be the year of invisible AppSec. When AppSec tools are run automatically, and when results are integrated with existing processes and issue-trackers, developers can fix security weaknesses as part of their normal workflows. There is no reason for them to go to separate systems to “do security,” and no reason they should be scrolling through thousand-page PDF reports from the security team, trying to figure out what needs to be done.
At the same time, organizations are starting to recognize that AppSec is a critical part of risk management, and that a properly implemented AppSec program results in business benefits. That doesn’t just mean fewer software vulnerabilities, which means less risk of catastrophe or embarrassing publicity. Good AppSec also means fewer support cases, fewer emergency updates, higher productivity, and happier customers.
We should really look at 2021 as the beta test for ransomware as a service (RaaS). 2022 will likely see a huge uptick in ransomware as a direct result of the growth of the RaaS market. Cybercrime groups will continue to expand their RaaS reach by making it easier and cheaper for aspiring script kiddies to get into the game and target organizations that are still being impacted by the cyber skills shortage. With close to 600,000 vacant security jobs in the U.S. alone, organizations will have to rely more heavily on technology and managed security service providers to keep up with the escalating number of attacks.
Of course ransomware is just the “how” side of the breach equation. The “who” side will most likely see an increase in attacks against critical infrastructure and the supply chain. Attacks like those against Kaseya and SolarWinds have brought attention to the state of application security and how easily one breach can trickle down exponentially.
While much of the U.S. and Europe have had a revival in leisure travel, business travel is still lagging. Many organizations aren’t budgeting much for travel in 2022, which may make it possible to reallocate spending to other areas. I see more digital transformations taking shape in 2022 as organizations look for efficiencies in a world where we’re not quite sure if life will ever return to normal.
In the year ahead, cybersecurity awareness training will remain essential to the prevention of a variety of cyberattacks for organizations of all shapes and sizes. This is an important way for businesses to prevent phishing attacks.
There are new technologies in development today that might just overthrow the reign of cloud computing. Some address the drawbacks of cloud computing like ongoing costs, security issues, and reliance on the internet, while others simply provide a better way of doing things.
First is edge computing—the practice of bringing data and computation closer to the location where it’s needed. This helps save data bandwidth and decrease response time, which is most useful for IoT devices. Instead of sending data all the way to clouds or data centers, it is processed closer. This helps analyze data in almost real time.
Next is fog computing. It addresses the problem of cloud computing not being able to process huge amounts of data in time. With fog computing, every function—storage, analysis, processing—is moved to the edge of the network. This is great for managing data floods in a networked environment.
Another technology, Project Solid, is an initiative from the inventor of the web itself, Tim Berners-Lee. It provides users with complete control over their data by placing it into a container. It would allow users to access the data when signing in, but they would lose it when the user signs out. In essence, it means that you bring your data with you.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.