In part 1 of web security trends 2020, we discussed the rise of Crowdsourced Security and the ever-changing attack surface. This time we turned to 3 security leaders to get their perspective on trends to come in 2020:
Anne-Marie Eklund Löwinder
CISO at the Swedish Internet Foundation, Internet Hall of Fame (2013) and holder of one of The Keys to the Internet:
What security issues/trends are you anticipating for 2020?
We are all targets. I believe that the world of digitalization continues to grow in complexity. As a result of that, it becomes even more difficult to protect the technical environment appropriately in our homes and workplaces.
With more and more systems and software, plugins and apps, we will continue to be challenged with keeping everything updated. Attackers will probably outpace incomplete and hurried patches. With more devices brought to our homes, most of them with network access with or without our knowledge, the exposition will let cybercriminals to home in on IoT devices for espionage and extortion. The digitalization leads to critical infrastructures being more exposed and they will most certainly be plagued by more attacks and production downtimes (I’ve just finished reading Sandworm by Andy Greenberg).
The increasing use of cloud services continues to change the security map. When more and more companies are handing over their information to someone else’s IT environment, aka cloud service providers, vulnerabilities in their environment, such as container components, will be top security concerns for DevOps teams.
Some novelties will introduce new attack surfaces for misconfiguration and vulnerable codes. Not monitoring enough will result in bigger damages than necessary. User misconfigurations and insecure third-party involvement will also compound risks in cloud platforms.
Threat intelligence will need to be augmented with security analytics expertise for protection across security layers. Which means companies must put more resources on security. But will they? Are the executive leaders of the companies willing to act upon the increasing risks? To what extent?
Are there any trends to do with security automation or ethical hackers?
I am not aware of any specific trends that do with security automation or ethical hackers, but the value in skilled ethical hacking is critical for identifying vulnerability in cybersecurity solutions before a real bad actor comes along. NSA recently handed over a serious vulnerability in Windows 10 to Microsoft, which to me shows a change in behaviour. Maybe they understand the problem with keeping them secret for future use when the collateral damage threatens to be global.
What are your current challenges and how do you plan to tackle these this year?
My current challenges are to keep the staff (at the Swedish Internet Foundation) happy by offering new and modern solutions, and keep them informed about the risks and of what’s going on at the same time.
What event do you look forward to in 2020?
Internetdagarna! As always.
Tanya Janca
Application security specialist, Ethical hacker, Pentester, Women in Security co-founder, frequent speaker:
What security issues/trends are you anticipating for 2020?
I anticipate more breaches and news stories of ‘cyber tragedy’, but also more companies investing in their employees via training and enablement in the workplace to create processes for faster and more effective security.
I also think we will see a lot more cultures moving towards DevOps and automation of security testing, defences and detection. I believe the Information Security field will try to move towards using more Artificial Intelligence/Machine Learning to provide better security experiences, for better or worse. I also foresee many companies abusing new technologies to violate user’s privacy, which is a trend I find both unethical and worrisome.
Read: Tanya’s blog series on DevOps and security: Pushing Left, Like a Boss.
Are there any trends to do with security automation or ethical hackers?
More and more development shops are realizing that if they don’t move to the DevOps model/culture they will no longer have a competitive advantage. I am currently seeing many security teams that are getting on board with this, adding automation, security sprints and adding security tooling to CI/CD pipelines, and other forms of “DevSecOps” (application security activities that are adapted to DevOps environments). I’m also seeing quite a few mature AppSec companies creating stripped-down versions of their tools to be used in pipelines, with varying results, and newer companies that have CI/CD in mind when creating brand new products.
I’m very, very excited to see innovation in this area in 2020. Application Security is a young field, and I suspect there will be very new types of tools coming out to solve this problem in new ways, and I can’t wait to see it.
What are your current challenges and how do you plan to tackle these this year?
This year I have three career goals:
- to help guide and support a few new AppSec startups in hopes to help them launch new and innovative products
- to create DevSecOps and AppSec training that is affordable, accessible and fun
- to have a better work/life balance than I have had in previous years.
I will also continue to coach companies launching and improving their AppSec, DevSecOps and Azure security programs. Wish me luck!
What ways will you/your team measure success this year?
I keep personal and professional KPIs that I won’t share here, but I can say that I believe setting goals and measuring yourself (regularly) against them is a fantastic way to ensure you reach your version of success.
I also believe in setting and enforcing personal and professional boundaries (for example, I do not take meetings before 9:00 am because sleep is very important to me). Setting a list of yearly/quarterly/monthly goals, as well as a set of boundaries, is an activity that I feel would serve any person well in their career.
What event do you look forward to in 2020?
I always look forward to every WoSEC (Women of Security) meetup, especially the “WoSEC Crashes RSAC” meetup during RSAC this year! I’m also looking forward to several different locations of B-Sides, and I especially love the AppSec conferences from OWASP.
Laura Kankaala
Security Researcher and Undetected podcast host at Detectify, ethical hacker, Disobey board member and frequent speaker:
What security issues are you anticipating for 2020?
Security of cloud environments and understanding exposed attack surface is going to be crucial for companies to secure sensitive data. Having sensitive data storage or internal servers accessible over the Internet and indexed directly in services such as Shodan is an unnecessary risk that companies are taking with their infrastructure. As of writing this, there are more than 73,000 MongoDBs available indexed in Shodan. Most of these are likely hosted in some Software-as-a-Service (SaaS) platform.
On the positive side, I think companies are becoming more vigilant about security. It is kind of hard to ignore security because data breaches and security incidents are constantly in the mainstream media. I encourage companies of all sizes to take a critical look at their security practices and at least include a responsible disclosure policy on their public website.
Are there any trends to do with security automation or ethical hackers?
I’m sure the usage of crowdsourced security will increase, it seems like the number of bug bounty programs, both public and private, outnumber the active researchers. For Crowdsourced security to be successful, we [security professionals] need to get better at sharing knowledge and offer help to get people started in security research.
However, bug bounties are just one facet of ethical hacking, as they typically just scratch the surface of the overall security of the company. For example, fixing an XSS bug found by a bug bounty researcher won’t fix the root cause of why XSS vulnerabilities exist. Preventative measures like security tools and educational content should reach the developers without increasing their workload tremendously.
When it comes to automating security, I think it is important to automate tedious tasks to pave way for tasks that require more time and attention. Automation also works to provide more consistency in security testing results in different phases of software development. In order for companies to grow bigger and faster in a secure manner, it makes a lot of sense to employ automation in the appropriate places.
What are your current challenges and how do you plan to tackle these this year?
This challenge will probably span over multiple years, but I want to make security automation the norm.
What we are doing at detectify is in addition to in-house security researchers we work closely with Crowdsource ethical hackers all around the world to be able to tap into the knowledge of novel vulnerabilities to complement our security automation tool. I don’t think this is necessarily a challenge, but more like a great opportunity for our customers to get insight into the security posture of their web applications and get knowledge of zero-day vulnerabilities as soon as possible.
What ways will you/your team measure success this year?
For me, success doesn’t happen in a void. Things are either done or they are not done. Getting things done can surely be a success, but will it truly matter unless it has a positive effect on someone else’s life?
My team and I have set numeric and performance-based goals that are a general path to follow. However, to be successful, the teams need to meet more than numbers and performance metrics. We need to collaborate and provide something meaningful to our community and peers.
What event do you look forward to in 2020?
I have a personal stake in this, but I am looking forward to Disobey that we are organizing in Helsinki, Finland. I am on the board of members for this conference so I hope that everything runs smoothly. We have a very active infosec community in Finland, but it’s exciting to see people from all over the world attending our event, either as a speaker or as an attendee.
How can Detectify help with your security plans for 2020?
Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Detectify works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Detectify a go? Start your 14-day free trial today.