Research

Staying one step ahead of the ever changing threat landscape is a strategic imperative for Veracode. Whether it’s desktop apps, web apps or mobile, we’re constantly looking for software vulnerabilities. If we discover something interesting this is where you’ll read about it.

Veracode Research Team Gives 5 Predictions for 2011

Posted by Chris Wysopal in RESEARCH, December 8, 2010 | Comments (4)  

As we close out an security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true.

1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer
Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt sandboxing.

2. Microsoft follows Google and Mozilla and starts paying a bug bounty
Following Google’s and Mozilla’s lead, more companies offer to pay researchers for reporting bugs to them. Microsoft, which stated years ago that they wouldn’t ever pay for bugs, caves to industry pressure as they are hit with more uncoordinated disclosures than their peers.

3. A mobile app causes a major enterprise security breach
Rapid growth of mobile apps continues on enterprise-connected mobile devices. Inevitably, attackers leverage this juicy new attack vector to penetrate corporate perimeters and gain access to sensitive data. It also turns out that the malicious application that enabled the attack was downloaded through a well-known and trusted app store.

4. Government and corporations stock up on anti-leak security products to defend against insider attacks, but high profile leaks continue
The insider threat problem is so huge that a single security product category such as DLP coupled with new policies on removable media fails to make a dent on leaks. The comprehensive security programs focused on internal applications and internal networks take years to implement. New organizations copy the Wikileaks model to give more outlets for leaked information.

5. A critical infrastructure facility in the US suffers a damaging incident resulting from a Stuxnet-like stealthy targeted worm
Stuxnet demonstrated a sophisticated, aggressive attack capability that can be replicated. Removable media is once again used to bridge an air gap and a zero-day vulnerability in a SCADA system is used to cause physical damage.

Veracode Security Solutions
Veracode Security Threat Guides
4 Comments »

It feels like (3) and (4) will be part of the same security incident

Comment by DmitryK — December 8, 2010 @ 1:15 pm

Excellent predictions, number three may be the return of crippling attacks like SQL slammer. Number 5 is a bold prediction but definitely possible. Number 4 is disturbing, how are these DLP products selling? Is no one testing to see if their detection mechanism can be evaded? I have tested three of these products in the past and each one was easy to evade.

Comment by cyb3rs3c — December 8, 2010 @ 1:27 pm

[...] Thanks to WikiLeaks, and the buzz about protecting sensitive government and private sector data. Some interesting viewpoints here and here. [...]

Pingback by Dan Griffin’s Blog » Data loss prevention is a hot item right now — December 9, 2010 @ 8:34 pm

[...] (Veracode Research Team Gives 5 Predictions for 2011) Rate this: Share this:TwitterFacebookTumblrLinkedInDiggStumbleUponRedditEmailPrintLike this:LikeBe the first to like this post. [...]

Pingback by Veracode Security Predictions for 2011 « Predicted — February 5, 2012 @ 9:14 am

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress