Posted by Mahesh Kukreja on December 8, 2015
Since technology is intertwined into every aspect of most people’s lives around the world, the overall attack surface increases tremendously year over year. With this continually increased risk, we should place increased importance on software security. So as 2015 comes to an end, we’d like to predict what will define 2016 in terms of the seemingly never-ending cat and mouse game of software security.
Last month, Gartner released the Top Ten Technology Trends for 2016. The list focuses on devices communicating with each other, developments in machine learning, and how architecture has to be smart enough to evolve with security.
In response to the Gartner 2016 forecast, here are six additional technology trends, which are sure to affect software security during the upcoming year:
We are in the era of smart devices. We are using mobile devices extensively to communicate, shop, and store sensitive information. With the advent of using mobile payment technologies and e-wallets to transfer money, the focus is shifting from traditional money management. The storage of payment information on mobile devices has long been a driving force for cyber criminals and, as more and more people conduct financial transactions online, the attack surface grows.
We also have to worry about mobile malware. Apple and Google app stores have both been hit by mobile malware. For example, XcodeGhost malware, which was in the news recently, is able to obtain sensitive data such as user credentials. We can expect to see more attacks like this in the coming year.
What can be done? Because software security for mobile applications is a growing trend, organizations should have their applications assessed before releasing them internally and externally to bolster their security.
Machine learning is quickly becoming a core part of autonomous technology, including cars. We have yet to see complete autonomy of cars, but we can still expect to see attacks on automobiles. In fact, we’ve already witnessed attacks on cars and planes this year.
What can be done? It’s scary to imagine your car’s computer system being hacked while driving to work. To prevent these attacks from taking place, manufacturers are diligently integrating software security into their vehicles. They are recognizing that any automobile part that is connected to the network needs to be protected.
Virtualization is a major part of cloud environments. At a basic level, virtualization partitions a physical layer (say a server) into different virtual layers (virtual machines). It helps a cloud environment provide software, data, or any computing resources efficiently, and comes in the form of a software-defined network. Virtualization leads to a complex structure of layers in which each layer has to be secured. In 2015, with the advancement of virtualization within cloud environments, we are seeing an increase in software security defects being reported, and this trend is sure to continue through the coming year.
What can be done? Organizations are heavily dependent on virtualization for core functions because it provides easier deployment and management, improved disaster recovery, and reduction in hardware costs. Delivering proper security mechanisms for these is a big trend for next year.
With the development of sophisticated tools to detect attacks, attackers are forced to evolve their skillset and tools to sneak through the advanced detection. Attackers are continually working to find exploits for different components and this will most definitely continue in the next year.
When organizations get hit by zero-day vulnerabilities, they get hit badly. A zero-day (also known as 0-day) vulnerability is a software security flaw that is not known or not disclosed to the vendor. With a zero-day exploit, an attacker could cause serious damage ranging from planting a malware to gaining unauthorized system access. Infrastructures are building components that are interconnected. This increases the attack-surface and gives attackers more room to exploit.
What can be done? Of course we cannot predict what is going to be hit, and that is why software security needs to be taken seriously from the very beginning of the SDLC.
Internet of Things (IoT) is emerging at a rapid rate. We have more devices embedded with network connectivity that are collecting and exchanging data. Wearable devices, including medical devices, are vulnerable to being hacked. They might collect sensitive information such as GPS coordinates. We saw quite a few cases related to ransomware in 2015. The trend is sure to continue in 2016 as we connect more wearable and smart gadgets to the Internet. It is scary to imagine an attacker holding a patient ransom by controlling their pacemaker.
What can be done? We need to perform rigorous security tests before making such devices available to the public.
Organizations are becoming more aware of the security problem. There is an increase in the demand for software developer security training so that they’re able to build secure software from the beginning. This trend will grow exponentially in 2016 as more organizations identify the need for security training.
What can be done? Such training sessions are helpful to establish a “secure development” mindset among developers who don’t currently care about security unless the system gets compromised.
With new technology coming into our homes and our lives every day, it’s important that we stay focused on building secure software for these devices (even if the device is as small as a sensor that’s collecting weather data and pushing it to a cloud server). We may not know what could go wrong until it’s too late. We may not know how attackers could leverage these devices until it’s too late. But, adopting software security measures will make the exploitation task for attackers hard.
Security will buy us more time. In that extra time, we can move the focus to better hardening the software. Securing software is not a one-time task. It is continually evolving as the technology around us evolves. As 2016 gets underway, let’s tighten our security measures to create a safer, smarter year than the bad guys.
Get the latest Software Integrity news, thought leadership, and more.