As a result of the Covid-19 pandemic, organizations in all industries ramped up their digital transformation efforts to make online operations easier for their employees and customers. But with more and more organizations online, the digital attack surface is growing at a record pace. The more applications with vulnerable code, the more opportunities for a cyberattack. In fact, our research found that 76 percent of applications have at least one security vulnerability. So how will this shape the future of cybersecurity, and software security?
There are three key technology trends that we believe will impact cybersecurity, and software security, the most over the next several years.
The first trend is ubiquitous connectivity. Think about how quickly the world – and everyone and everything in it – is becoming interconnected. Did you ever think you’d see a day where you can search the Internet from your refrigerator or turn on your television with a simple voice command? By the end of 2019, there were already 7.6 billion active IoT devices – and this number is expected to climb to 24.1 billion by 2030. And on top of the growing number of IoT devices, businesses are increasingly shifting their applications to the cloud.
But IoT devices and cloud-connected software bring increased risk. According to the Verizon 2021 Data Breach Investigations Report (DBIR), web applications were the source of over 39 percent of breaches, which is double the amount in 2019. Executive vice president and CEO of Verizon Business, Tami Erwin, cites the pandemic and the sudden shift to the cloud as the cause of increased web application risk.
Additionally, wireless and 5G add to the connectivity. Think of the number of people with smartphones checking their emails or shopping online without a firewall. These interfaces rely on APIs. But without the right security, APIs are a prime target for cybercriminals.
These trends point to an increased focus on API security, zero-trust models, and a shared responsibility model where organizations focus on application security, while the cloud provider focuses on infrastructure and physical security.
The second trend to keep an eye on is abstraction and componentization. Think about how fast companies release new software or technology. It feels like every time you turn around Apple has a new software update. But the speed of software deployments is no longer shocking … it’s expected. Companies need to release software rapidly in order to be competitive.
To move faster, many development teams are turning not only to the cloud but to microservices. With microservices, development teams can break down comprehensive applications into the smallest possible reusable blocks of logic in order to stitch them together into business processes or workflows.
APIs are used to integrate the components, which drives an API-first development approach. In fact, in SmartBear’s 2019 State of API Survey, 75 percent of respondents answered that adoption of microservice architecture will drive the biggest growth in API adoption in the next two years.
Open source libraries are also used as a way to speed up development. In fact, our State of Software Security report found that 97 percent of the typical Java application is made up of open source libraries.
And 46.6 percent of insecure open source libraries in applications are transitive, meaning the library is pulled in indirectly by another library in use. This means that the attack surface doesn’t just include the open source libraries that your developer added, it also includes indirect libraries that your open source code is pulling.
Going forward, we envision a trusted third-party review authority that manages all public APIs and third-party code in order to make software publishers accountable for independent audits. There’s an awareness component here as well. Developers need to be aware of the risk in both the libraries they are pulling in directly and the transitive dependencies of those libraries.
Finally, automation will play a big role. For instance, going forward, automating open source remediation will be critical.
The final trend expected to impact cybersecurity is hyperautomation of software delivery. As we talked about with abstraction and componentization, speed of deployments is a critical factor when it comes to being competitive in the software market. And speed will continue to be a major factor over the next several years, bringing a “hypercompetitiveness” to businesses.
It’s expected that businesses will automate as many processes as possible. Not just development processes but also processes that interact with software delivery. Eventually, DevOps and pipeline automation will not just be goals, they’ll be expectations. And everything that can be code, will be code: security as code, compliance as code, and infrastructure as code.
For cybersecurity, this means that security will be increasingly automated. We will start seeing more and more organizations moving toward DevSecOps. This will mean that developer and security roles will continue to evolve. The security team will become less operational, taking on more of an auditing role. Developers will be in charge of application security testing and automating scans into their existing tools and processes – a trend that many development teams have already adopted.
Over the next few years, we can expect to see suppliers turning to AI and machine learning for tasks like identifying design vulnerabilities, threat modeling, and remediation. We can also expect more and more vendors to offer auto-remediation for third-party code.
Finally, given these three trends, and the growing attack surface, we can expect to see increased cybersecurity regulations. President Biden has already released an executive order regulating software vendors that interact with the federal government. He is calling for increased security measures and transparency into cyber incidents. We expect the regulations to not only impact software vendors that interact with the federal government but also impact software vendors that serve the public sector.
For additional insight into the future of cybersecurity, check out our recent VeraTalk, Cybersecurity: The Next Chapter.