Emerging technology trends cast a shadow on user safety and data privacy. Every new smart, connected device makes software security even more important.
Since technology is intertwined into every aspect of most people’s lives around the world, the overall attack surface increases tremendously year over year. With this continually increased risk, we should place increased importance on software security. So we’d like to predict what will define the next few years in terms of the seemingly never-ending cat and mouse game of software security. Here are six technology trends that are sure to affect software security going forward:
We are in the era of smart devices. We are using mobile devices extensively to communicate, shop, and store sensitive information. With the advent of using mobile payment technologies and e-wallets to transfer money, the focus is shifting from traditional money management. The storage of payment information on mobile devices has long been a driving force for cyber criminals and, as more and more people conduct financial transactions online, the attack surface grows.
We also have to worry about mobile malware. Apple and Google app stores have both been hit by mobile malware. For example, XcodeGhost malware is able to obtain sensitive data such as user credentials. We can expect to see more attacks like this in the future.
What can be done? Because software security for mobile applications is a growing technology trend, organizations should have their applications assessed before releasing them internally and externally to bolster their security.
Machine learning is quickly becoming a core part of autonomous technology, including cars. We have yet to see complete autonomy of cars, but we can still expect to see attacks on automobiles. In fact, we’ve already witnessed attacks on cars and planes in recent years.
What can be done? It’s scary to imagine your car’s computer system being hacked while driving to work. To prevent these attacks from taking place, manufacturers are diligently integrating software security into their vehicles. They are recognizing that any automobile part that is connected to the network needs to be protected.
Virtualization is a major part of cloud environments. At a basic level, virtualization partitions a physical layer (say a server) into different virtual layers (virtual machines). It helps a cloud environment provide software, data, or any computing resources efficiently, and comes in the form of a software-defined network. Virtualization leads to a complex structure of layers in which each layer has to be secured. With the advancement of virtualization within cloud environments, we are seeing an increase in software security defects being reported, and this technology trend is sure to continue.
What can be done? Organizations are heavily dependent on virtualization for core functions because it provides easier deployment and management, improved disaster recovery, and reduction in hardware costs. Delivering proper security mechanisms for these is a big technology trend.
With the development of sophisticated tools to detect attacks, attackers are forced to evolve their skill sets and tools to sneak through the advanced detection. Attackers are continually working to find exploits for different components and this will most definitely continue.
When organizations get hit by zero-day vulnerabilities, they get hit badly. A zero-day (also known as 0-day) vulnerability is a software security flaw that is not known or not disclosed to the vendor. With a zero-day exploit, an attacker could cause serious damage ranging from planting a malware to gaining unauthorized system access. Infrastructures are building components that are interconnected. This increases the attack-surface and gives attackers more room to exploit.
What can be done? Of course we cannot predict what is going to be hit, and that is why software security needs to be taken seriously from the very beginning of the SDLC.
Internet of Things (IoT) is emerging at a rapid rate. We have more devices embedded with network connectivity that are collecting and exchanging data. Wearable devices, including medical devices, are vulnerable to being hacked. They might collect sensitive information such as GPS coordinates. We’ve seen quite a few cases related to ransomware. The technology trend is sure to continue as we connect more wearable and smart gadgets to the internet. It is scary to imagine an attacker holding a patient ransom by controlling their pacemaker.
What can be done? We need to perform rigorous security tests before making such devices available to the public.
Organizations are becoming more aware of the security problem. There is an increase in the demand for software developer security training so that they’re able to build secure software from the beginning. This technology trend will grow exponentially as more organizations identify the need for security training.
What can be done? Such training sessions are helpful to establish a “secure development” mindset among developers who don’t currently care about security unless the system gets compromised.
With new technology coming into our homes and our lives every day, it’s important that we stay focused on building secure software for these devices (even if the device is as small as a sensor that’s collecting weather data and pushing it to a cloud server). We may not know what could go wrong until it’s too late. We may not know how attackers could leverage these devices until it’s too late. But, adopting software security measures will make the exploitation task for attackers hard.
Security will buy us more time. In that extra time, we can move the focus to better hardening the software. Securing software is not a one-time task. It is continually evolving as the technology around us evolves. Let’s tighten our security measures to create a safer, smarter future.
Mahesh Kukreja is a senior security consultant at Synopsys. He specializes in application security assessments, particularly the manual ethical hacks of web and mobile applications. Mahesh comes from a computer science background and holds a Master's in Security Informatics from Indiana University. He was introduced to computer security in 2006, and has been growing his knowledge and skills in this field ever since. In his spare time, he composes short poetry, hits the gym, and plays games on his Xbox.