As we close out a security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true.

1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer

Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt sandboxing.

2. Microsoft follows Google and Mozilla and starts paying a bug bounty

Following Google’s and Mozilla’s lead, more companies offer to pay researchers for reporting bugs to them. Microsoft, which stated years ago that they wouldn’t ever pay for bugs, caves to industry pressure as they are hit with more uncoordinated disclosures than their peers.

3. A mobile app causes a major enterprise security breach

Rapid growth of mobile apps continues on enterprise-connected mobile devices. Inevitably, attackers leverage this juicy new attack vector to penetrate corporate perimeters and gain access to sensitive data. It also turns out that the malicious application that enabled the attack was downloaded through a well-known and trusted app store.

4. Government and corporations stock up on anti-leak security products to defend against insider attacks, but high profile leaks continue

The insider threat problem is so huge that a single security product category such as DLP coupled with new policies on removable media fails to make a dent on leaks. The comprehensive security programs focused on internal applications and internal networks take years to implement. New organizations copy the Wikileaks model to give more outlets for leaked information.

5. A critical infrastructure facility in the US suffers a damaging incident resulting from a Stuxnet-like stealthy targeted worm

Stuxnet demonstrated a sophisticated, aggressive attack capability that can be replicated. Removable media is once again used to bridge an air gap and a zero-day vulnerability in a SCADA system is used to cause physical damage.

Veracode Security Solutions
Veracode Security Threat Guides

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

DmitryK | December 8, 2010 1:15 pm

It feels like (3) and (4) will be part of the same security incident

cyb3rs3c | December 8, 2010 1:27 pm

Excellent predictions, number three may be the return of crippling attacks like SQL slammer. Number 5 is a bold prediction but definitely possible. Number 4 is disturbing, how are these DLP products selling? Is no one testing to see if their detection mechanism can be evaded? I have tested three of these products in the past and each one was easy to evade.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.