Software plays an important role in our lives but much of it is new technology which stakeholders and creators have little functional experience and even less security experience.
With more vehicles, financial transaction applications and daily services dependent on software, will consumers demand to know what the software that they are using is made of, like the need to know ingredients of food on supermarket shelves before purchasing them?
How will this impact companies? With economic uncertainty, what can we expect in terms of application security and cybersecurity? With the year coming to a close, we’ve gathered the perspectives of several industry experts from Synopsys Software Integrity Group.
Kelvin Lim, Director of Sales Engineering, APAC
The global economic uncertainty may lead to market consolidation in the App Sec space. Startups in the application security space and global companies with weaker financial standing may be forced to downsize or be acquired. In addition, companies must choose App Sec vendors with a strong financial position and market size when purchasing App Sec tools.
App Security will gain importance in 2023. Companies will invest more in app security, and it will be a topic of conversation in the C-suite. As a result, companies will increase their budgets and resources for App Sec. Recent attacks on major Australian companies have raised awareness of the importance of strong API security among Australian businesses.
This trend is likely to accelerate and spread throughout APAC as more companies embrace the API economy and increase the number of business transactions conducted via API.
Dennis Kengo Oka, Principal Automotive Security
After the official release of the cybersecurity engineering standard ISO/SAE 21434 in August 2021, automotive organizations in 2022 ultimately put a high emphasis on establishing cybersecurity policies and processes, building security teams and workflows, as well as performing relevant cybersecurity activities during the product development lifecycle.
Also in 2022, UN Regulation No. 155 on Cybersecurity and Cybersecurity Management Systems (CSMS) became mandatory in UNECE member countries, applying to all new vehicle types for type approval, further emphasizing the need for cybersecurity.
In 2023, we will see an increased need for cybersecurity as vehicle development shifts more towards software-defined vehicles, deployment of advanced solutions including autonomous driving and mobility solutions also involving backend systems and users’ mobile devices.
This vehicle ecosystem has an increased attack surface with highly valuable and safety-critical targets. It is imperative that the industry continues to follow best practices and cybersecurity standards not only for vehicle development but for the entire vehicle ecosystem.
In particular, for software development, automotive organizations are adopting more agile development methodologies, and therefore the need to develop faster, test earlier, find and fix defects earlier, and monitor for security vulnerabilities is becoming increasingly paramount.
Lekshmi Nair, Managing Principal, APAC
Impact of an economic recession on cybersecurity
With the current uncertain market situations, Cybersecurity space will focus more on optimizing their efforts and spending from “do it all” and “fix it all” approaches in earlier years. We will see fewer resources and tighter security budgets in corporate settings, resulting in subpar security posture across organizations. Because of this, threat actors will capitalize on this asymmetry and evolve faster, creating the perfect storm for an amplified number.
Security will still continue to do a catch up game as a result. The positive side of this situation will be that CISOs will move beyond just insurance and checkbox compliance to opt for more proactive cyber security measures in order to maximise ROI in the face of budget cuts, shifting investment into tools and capabilities that continuously improve their cyber resilience.
This could increase the use of “detection and self healing” tools, automations and AI based systems. This could also result in increased usage of production monitoring of apps (WAF, WhiteHat etc.) and Application Security SOC (CodeDX) to give comprehensive metrics view of vulnerabilities and related actions. Increase in API attacks resulting in investment in API Security strategy APIs are enabling distributed infrastructure driven by modern requirements.
The recent attacks like Optus, which was resulted due to API security flaws are creating a renewed awareness on the need of secure architecture, robust testing and API monitoring.
- Lack of visibility: Minimal view of used and unused APIs. Malicious API calls are at 2.8% of the total API call volume.
- Limitations of Current monitoring tools: Many of the continuous scanning tools focus on APIs that are embedded in Web applications. API gateways or WAFs is not enough to detect and stop XSS, SQL, and JSON injection attacks.
- Inadequate business logic testing: Often excludes business logic executed through APIs.Focus on regulatory compliance and executive order
There have been many regulations, standards and orders released in the past few months like US executive order requiring software sellers to provide federal agents with an SBOM, updated Code of Practice for CII of Singapore – Second Edition released on 4th Jul 2022 by the Cyber Security Agency of Singapore (CSA) requiring Pentesting agencies to get license.
DORA – Digital Operational Resilience Act – regulation memo The European Commission introduced in September 2020 a proposal for a regulation on digital operational resilience for the financial sector, commonly referred to as the Digital Operational Resilience Act (DORA) and several others. These will put pressure on industries as well as consulting organizations enhance their efforts in compliance and controls in all sections of cybersecurity.
A common element in all these regulations are requirements on periodic penetration testing of applications, incident response, supply chain and open source security.
Michael White, Technical Director and Principal Architect
Product security accountability becomes real
Given the rise of regulation like EO 14028, the EU CRA, UK PSTI, and others – leaders have to sign their name on declarations to say that they have done everything required to assure products are developed securely and provide support via e.g. monitoring and ongoing vulnerability response (think: be ready to roll out patches) for the lifetime specified in those declarations. In some cases this means cyber labeling – by regulation or voluntary initiatives.
What this implies is that there will be much more scrutiny from legal and compliance teams – and those who must sign off on product deliverables – that they do so with confidence.
Software supply chain awareness surges
As organizations become concerned about what could be in their software and where it comes from, we’ll start to peel the layers of the onion and understand all the possible corner cases where we need to have appropriate controls. Since everyone is in a supply chain, and most are in the middle, this means not just internally but also externally, and also ties into the need to provide trusted attestations in support of product security mandates.
This will mean much more transparency is required – not just SBOM, but also the whole chain of custody of who touched what, which tools were used, what testing was performed, etc.
Firms will look to toughen up their internal supply chain and software delivery infrastructure, as well as cascade down to their providers and vendors a requirement for transparency. Another side effect is the need to take open source (and inner source) seriously – with many organizations standing up open source program offices (OSPOs) for the first time.
The rise of the developer platform as a product
Taking into account the above – it is simply infeasible for individual dev teams to manage their own lifecycle, dev tool chain, and platforms. The development environments themselves will be treated as products in their own right, and have security checks and controls baked in.
This doesn’t happen only because of security but because other factors are coming together: cost efficiency, organization scaling, as well as the up-side benefits of agility, predictability, and flexibility. This need not be a restrictive framework, but rather making developers life easier by offering them the golden path which reduces the administrative burden later.
The key buzzword here is ‘platform engineering’ and it will represent an evolution of the teams called ‘devops support’. This ties into the theme of reusability, and Gartner forecasts that 80% o of organizations will adopt this mindset by 2026 and I tihnk it’s a good thing – it makes compliance, security, situational awareness much easier and ties up many loose ends.
Sammy Migues, Principal Scientist
Firms, especially Boards and their risk committees, will see that detective controls alone are not keeping their businesses safe from malware, ransomware, software vulnerabilities, and other technical sources or risk. They’ll begin investing in preventive controls even if it means stifling some amount of creativity in tech like cloud, networks, development, and operations.
It’s been true every year for a while and will be true this year also: More of the world is becoming software, much of that software is new tech for which stakeholders and creators have little functional experience and even less security experience, that software is interconnected and will affect how people live their lives, and all of it is vulnerable to attack.
We will start accepting as a day-to-day possibility that some mundane event can’t happen on a given day, such as no one can make toast today because all internet-connected toasters use an AI engine that’s under a DDOS attack. In the battle of policy and culture, policy will come in second. DevOps and DevSecOps are culture changes, not policy mandates.
Firms that shape the culture to produce the expected outputs will fare better in cybersecurity challenges. People will demand to know what their software is made of. Whether it’s a ‘nutrition label’ or ‘bill of materials’ or similar, orgs will demand that vendors account for all software in apps and devices, where it came from, how it was built and tested, and how it’s maintained. In a few years selling opaque software will be the exception rather than the rule.