It’s still the season for gazing into the crystal ball that tells us what’s going to happen in the world of cybersecurity for the rest of the year. Or at least we wish it would.
Crystal balls are always cloudy, which means predictions are hard — especially about the future, as the late, great Yogi Berra said. Indeed, weather experts have a tough time telling us what’s going to happen in a week, never mind the rest of a year that’s just beginning.
2023 predictions to help you plan better
But forecasts, even if they’re not guaranteed, are still useful. Most people and firms that succeed do so in part by planning ahead. And to do that takes foresight and the courage to make good guesses that might not come true. Fortunately, here at the Synopsys Software Integrity Group, we’ve got a cadre of experts who have both. The predictions below aren’t guarantees, but they are likely. Which means they can help you plan for a better 2023.
Artificial but irresistible
Sammy Migues, Principal Scientist
I think we’ll see some new and interesting side effects from technology that gave us deep fakes and ChatGPT. Technical interviews over video call should be a snap if you have a real expert sit in for you — and look and sound just like you. If you don’t have such an expert handy, why not just send the questions to ChatGPT and read the answers?
Don’t have time to learn how to configure that new security device? Forget technical support — ask ChatGPT for a step-by-step checklist! Don’t have time to write that crypto module? Ask the AI to do it! Don’t have years of log data to support your massive budget request? Have the AI generate it in minutes! The possibilities are endless. Sure, the AI is just a mindless automaton spewing things it’s assembled but it can be convincing at first glance.
Supply chain awareness surge
Michael White, Technical Director and Principal Architect
As companies become concerned about what could be in their software and where it comes from, we’ll start to peel back the layers of the onion and understand all the possible corner cases where we need to have appropriate controls. This will mean much more transparency is required — not just software Bills of Materials (SBOMs), but also the whole chain of custody of who touched what, which tools were used, what testing was performed, etc.
Firms will look to toughen up their internal supply chain and software delivery infrastructure, as well as cascade down to their providers and vendors a requirement for transparency.
Endemic insecurity
Jonathan Knudsen, Head of Global Research
People will still not take software risk seriously, will continue to build things too fast without doing it properly, and will still not think about security until their house is actually burning.
Southwest Airlines should be a wakeup call. Obviously all organisations are software companies, and how much is their meltdown going to cost them? But we have had at least five decades of wakeup calls and we just keep hitting the snooze button.
Sammy Migues
It’s been true every year for a while and will be true this year also: More of the world is becoming software, much of that software is new tech for which stakeholders and creators have little functional experience and even less security experience, that software is interconnected and will affect how some people live, and all of it is vulnerable to attack.
In addition, we will start accepting as a day-to-day possibility that some mundane event can’t happen on a given day, such as no one can make toast today because all internet-connected toasters use an artificial intelligence (AI) engine that’s under a DDoS attack.
Open source eats the software world
Gunnar Braun, Technical AppSec Account Manager
The value of open source software (OSS) is not just that it’s free. It’s the enormous amount of software components available for almost every problem you’ll ever face. Businesses are realising their dependence on OSS as an enabler. Many OSS projects are backed not just by large enterprises that produce a lot of OSS on their own, but now also by smaller companies.
This is their investment in the quality and security of OSS so they can continue to use and rely on it. I predict that smaller companies will invest more in the OSS they use, and bigger players will build programs to bring order to the chaos, like Google’s Assured Open Source Software service. We will see what level of acceptance the latter will achieve.
Ounces of prevention
Sammy Migues
Firms, especially boards and risk committees, will see that detective controls alone are not keeping them safe enough from malware, ransomware, software vulnerabilities, and other risk. They’ll begin investing in preventive controls even if that means stifling some amount of creativity in technology areas such as cloud, networks, development, and operations.
SBOMs away
Anita D’Amico, Vice President, Cross-portfolio Solutions and Strategy
Organisations increasingly motivated by the need to rapidly respond to the next Log4J-like vulnerability will accelerate contractual requirements for SBOMs from their software suppliers. But how will the procurers know that these SBOMs are accurate? This will then create a demand for the validation of SBOMs to fulfill these contractual requirements.
Also, the acronym “SSDF” will start rolling off the lips of anyone concerned with software supply chain. The SSDF — Secure Software Development Framework — published by the National Institute for Standards and Technology in 2022, will become the north star for organisations that need to demonstrate best practices in software security.
Stanislav Sivak, Associate Managing Security Consultant
This year, we’ll see increased demand that software suppliers provide their open source SBOM and associated risk posture to their customers. The efforts will be directed, at least in larger organisations, at having a holistic, continuous overview of software composition and its origins (COTS, open source, partner) instead of a point-in-time approach.
Such firms will need to establish a platform that can process inputs, understand context, generate output like an SBOM in the appropriate format, and give intelligence around its data.
Authentication evolution
Boris Cipot, Senior Security Engineer
For many years, we made slow progress with data security. Until recently, the model we used rested on the use of a username (who I am) with a password (what I know). That was then extended to a third factor — confirming one’s identity with another device (what I own).
Microsoft announced that it will move away from passwords and rely only on identification through their authentication app. This would certainly mean the end of bad password hygiene — from its misuse to the repeated use of the same one across multiple accounts.
But we have yet to see how many online services will follow suit — not all firms have the same capabilities as Microsoft’s Authenticator app or Google’s ID Confirmation. Nevertheless, more services might start sending text messages or emails with a code. It is important to watch out, though, that unauthorised persons do not gain access to those resources.
Sammy Migues
I think 2023 is the year that multifactor authentication really becomes a common thing. Even if people don’t enable it, firms will begin setting it as the default. It’s just easier on everyone to cause a little authentication friction compared to trying to recapture a stolen account.
Layers of protection
Amit Sharma, Security Engineer
Cybersecurity awareness training will remain essential to the prevention of a variety of cyberattacks for firms of all shapes and sizes. This is an important way for businesses to prevent phishing attacks. As more firms adopt cloud solutions, cloud security strategies will continue to mature in the months and years ahead. Automation and configuration are of utmost importance to maintaining continuous sensitive data protection in the cloud.
We will also see a continued rise in use of orchestration tech like Kubernetes, and that will create an increased demand for container and Kubernetes security solutions. Following the supply chain attacks in 2022, maturity around supply chain governance and management is a must. Security mechanisms must be put in place internally, in addition to that of vendors.
All aboard the awareness training train
Meera Rao, Senior Director for Product Management
Breaches we saw in 2022 were mostly related to social engineering attacks. We saw that all it takes to be in the headlines for the wrong reason is one vulnerable user. A user without training in social engineering is an easy target for phishing and smishing attacks. So regular employee training has taken center stage and will be a key goal for organisations in 2023.
Taylor Armerding is the Security Advocate at Synopsys Software Integrity Group.
