2019 will be the most security-conscious year yet, with the general public more concerned and enterprise spending on defense and research growing relentlessly. However, for innovative and emerging technologies, security will also present new challenges to organizations large and small. The status quo of speed and functionality being chosen over security to address competition is highly likely to continue, and boards and corporate leaders need to be continually convinced as to the importance of security as part of strategic business objectives.
What is becoming more of a challenge? What is alleviating some of the burden on enterprises? For those looking forward, and for those looking to find or build solutions, these are the cybersecurity trends to watch for 2019.
Necessary Speed and Agility Changes Aide Increasingly Secure Rapid Delivery
According to a recent survey by Veracode, 52% of developers are concerned that an increase in application security will pose a threat to development and deadlines.
A house built on a shaky foundation will not stand up for long, just as software cannot truly be secure in an operational state if it was not originally built securely. Unfortunately, the extra time and effort that is needed to create secure software from the ground up is still a hard-sell.
In an ideal world, developers would all be security experts who coded everything as securely as possible, and management would understand and accept the need to spend extra resources to achieve a secure operational state by design. We know this is not the case today, so DevSecOps is one agility concept that helps incorporate security during development, without “tacking on” security at the end of a release cycle.
By accelerating the security audit process, secure development can be validated for assurance much faster. Through automation and the DevSecOps model, security is thus better able to keep up with frequent iterations with increased assurance.
Another concept that can help maintain speed and agility is not new, but it also is not frequently used in most industries: Design thinking.
Rajat Mohanty, Co-founder and CEO of Paladion, recently wrote in Forbesthat “design thinking places humans — not technology — at the center of both a problem and that problem’s potential solutions.” Mohanty also states, “Design thinking tells us to seamlessly blend cybersecurity controls into a user’s environment and to pay particular attention to smoothing out any complications or personal considerations that might complicate adherence. It takes these concerns seriously and designs a solution that corrects them, instead of wishing users would just follow technically perfect security controls that never survive contact with the real world.”
With the 2018 Verizon Data Breach Incident Report (DBIR) stating thatphishing and pretexting represent the start of a whopping 93% of breaches, adequate consideration of the human element of a solution should be at the forefront of software and application designer’s minds.
Additionally, using design thinking when implementing DevSecOps focuses on the internal users — the developer and the DevOps engineer — to ensure their priorities (delivering working solutions on-time) remain possible. If we do not empathize with their goals, they will not embrace our changes in the realm of security.
Shifting Boundaries Between Employees, Suppliers, and Customers
As more and more businesses move to cloud-based solutions, the boundary between employee, supplier, and customer has never been so thin. Formal organizational structures with internal teams managing business applications are unrecognizable in today’s businesses: Who plays what role and with what authority? What access is really needed? How are granular access controls being managed? Who is really responsible?
Next-generation supply chain management is imperative to business success and breach prevention. Better and more frequent validation of third-party controls is needed. An organization’s supply chain is only as strong as its weakest link, so understanding and managing security risks associated with suppliers is more important than ever.
Ensuring third-parties (in addition to the workforce) are able to efficiently do their jobs — while still maintaining an acceptable organizational risk profile — will be a formidable challenge.
According to Gartner, solutions like Data Loss Prevention (DLP), Identity governance and administration (IGA), and Identity and Access Management (IAM) will help organizations cope with a shifting “trusted user” landscape.
“Web App Security Testing” Is More Important Than Ever
This is not only the hottest and most attractive job market for 2019, but Gartner advised that security testing is the fastest growing security market.
From groceries to home genetics test kits, a significant portion of the data we send and receive is via mobile apps and websites. In 2015, Gartnerreported that ‘75% of cyber-attacks and Internet security violations are generated through Internet applications.’ The application layer is the component most exposed to attack.
Many of these apps are written by individuals, or small companies, who are more concerned with generating users per day than with user-facing vulnerabilities.
Touching on the DevSecOps concept, not all security testing can be automated. Web app testing tools are difficult to keep updated and do not catch everything. Code review tools are akin to “spell check” or “signature-based analysis”; they are not infallible, but automated testing is still necessary.
Increased resources will need to be spent on security testing to keep up with the speed and agility of most iterative software development life cycles.
Security Awareness Training Evolves Beyond a “Once-Yearly 30-minute” Course
Employees don’t need more security awareness training videos, they need to be exposed to better security awareness programs that provide regular, positive reinforcement via “teachable moments” to improve security user practices.
Security awareness is about breaking bad habits. Positive reinforcement for correct behavior, more frequent testing at random times, and a combination teaching approach that includes in-person training and exercises in addition to computer-based training/web-based training (CBT/WBT) are all needed to make users sit up and take notice.
Gamification and other measures to make security awareness relevant and engaging to employees are key to ensuring appropriate actions are regularly taken when social engineering and physical attacks are suspected.
Internal awareness programs must focus on high-risk groups and provide role-based training for employees, contractors, suppliers, etc. Automation can help with identifying and remediating (via training) any failures found through testing. Phishing testing should be conducted more often at non-predictable intervals, and customized spear-phishing testing should be performed for high-risk individuals.
Spear-vishing (vishing = voice phishing, done over the phone) is also a prevalent attack vector, so training and testing should be performed regularly.
Serverless and Microservice Technologies Solve Some Challenges, Introduce New Concerns
The application strategy to “keep it small” by utilizing microservices and “serverless” solutions enable super rapid delivery via “functions as a service” (FaaS) by enabling developers to push code faster and only use resources on-demand. While this might be great for innovation, cost, and speed, these technologies introduce new security concerns.
Protego Labs recently discovered that 98 percent of functions in serverless applications are at risk, with 16 percent considered “serious.” In serverless, functions tend to be provisioned with more permissions than they requiremore permissions than the functions require.
Excess permissions can be removed to improve the security of the function and the application, utilizing least privilege, and configuring security permissions on individual functions however that takes extra time and an organizational commitment to security at a granular level. Educated developers can overcome this obstacle, but time to release and functional correctness will likely win in most cases over security, and hasty or uninformed development can quickly create a great deal of risk.
The attack surface of FaaS is much larger than traditional Cloud applications, as each function and component is an entry point into the application. Injection flaws top the list of possible vulnerabilities in serverless apps, which might seem like a step backward into OWASP Top 10 territory.
According to Israel Thomas, Associate Security Analyst at We45, new attack vectors introduced in FaaS include:
● Increased attack surface: As serverless functions consume data from multiple event sources, such as HTTP APIs, message queues, cloud storage, and IoT device communications, the attack surface induces protocols and complex message structures, which are hard to inspect by a typical web application firewall.
● Attack surface complexity: Right off the bat, the attack surface of the architecture is quite new. Hence it could be a bit of a hassle to adapt and scale for the developers; the probability of misconfiguration is very high.
● Overall system complexity: It is very difficult to visualize and monitor applications developed with serverless architectures as it is not a typical software environment. Hence, proper logging of events and functions are crucial for timely troubleshooting and to respond to security events.
● Inadequate security testing: Security testing on applications built on serverless architectures are far more complex when compared to standard applications. This is why automated scanning tools have not adapted to scan applications developed on serverless architectures just yet.
Like traditional cloud, using functions as a service shifts a significant amount of trust to the provider, so adopters need to consider similar privacy concerns as with any shared cloud environment. Application managers will need to determine the best way to cope with the increased attack surface created by the increased number of functions with direct access to the app.
Baselining and monitoring apps that are running on-demand makes anomaly detection more challenging. Logging capabilities of the current serverless technologies may or may not be adequate for security investigation and early attack detection. If not, serverless apps need to counteract the inadequacy. However, verbose logging is useful for debugging, but it is also useful for an attacker.
FaaS technologies are still cutting-edge, and many questions need be answered: Will developers and DevOps eventually replace Q/A? How can separation of duties be implemented if developers are releasing directly to production? If FaaS application code is being autonomously deployed instantly and repeatedly by developers, what do organizations need to start doing to keep up with securing new code? 2019 will present a new frontier for organizations utilizing this type of application delivery model…….Read more>>