Researchers predict software security will continue to struggle to keep up with cloud and IoT in the new year.
IT security professionals have largely spent the year managing a once-in-a-generation workforce shift from office to home in 2020. With the initial push over, experts predict that 2021 will be focused on shoring up the cloud and re-imagining organizational workflows under this new normal. Software security will be critical in this environment.
That’s according to researchers from Checkmarx, which just published its 2021 Software Security Predictions report. It envisions a new era for software-development teams, including a focus on better application security tools, scaling on-premise security tools to the cloud and better protecting internet-of-things (IoT) devices.
Adapt to the Cloud
Checkmarx advises software-development teams they will need to keep apace with the development of applications in the cloud going forward.
“You can’t push code and then roll back to fix vulnerabilities, as it presents an opportunity for malicious actors to infiltrate your systems,” Maty Siman, Checkmarx CTO said in the report. “In 2021, the tools used for application security that integrate into the tool chain must work much more rapidly, scale to cloud environments and present actionable findings in a format that developers can understand and use to make quick fixes.”
The message comes as cloud applications and environments are increasingly in the sights of attackers. This week for instance the National Security Agency issued a warning that threat actors have developed techniques to leverage vulnerabilities in on-premises network access to compromise the cloud.
“Malicious cyber-actors are abusing trust in federated authentication environments to access protected data,” the advisory read. “The exploitation occurs after the actors have gained initial access to a victim’s on-premises network. The actors leverage privileged access in the on-premises environment to subvert the mechanisms that the organization uses to grant access to cloud and on-premises resources and/or to compromise administrator credentials with the ability to manage cloud resources.”
Meanwhile, open source will continue to attract attacks.
“Rarely does a week go by without a discovery of malicious open-source packages,” Siman wrote. “Yes, organizations understand they need to secure the open-source components they’re using, and existing solutions help them in removing packages that are mistakenly vulnerable (where a developer accidentally puts a vulnerability into the package). But they are still blind to instances where adversaries maliciously push tainted code into packages. This needs to change in 2021.”
He warned to stay away from new contributions and stick with more “mature,” well-known open-source components.
Infrastructure as Code
Developers have been feverishly building applications using new infrastructure-as-code environments, which, Siman said, has left major gaps in security. Going forward, that will drive additional training in IaC security.
“I expect to see malicious attackers exploit developers’ missteps in these flexible environments. To combat this, we will see a major concentration around cloud security training, IaC best practices, and additional spend allocated toward software and application security to support the demand of a remote workforce and more complex software ecosystems,” he added.
Security will Report to Development
Diva developers are a fact of life, and in order to drive security throughout the software-development process, security teams will have to orient themselves within development teams to increase collaboration, Sima explained.
“Developers are opinionated and increasingly influential, and you cannot force them to do or use something they don’t buy into,” he wrote. “To foster collaboration between security and development, security in 2021 will need to integrate into the development tool chain in a manner that the latter is most comfortable with.”
Holistic View of Security
Increasingly, Siman said, teams will need a comprehensive view of their security postures across the entire organization, driving a need for tools which provide that full ecosystem view.
When it comes to the security of open source in particular, more comprehensive views will allow organizations not only to know if they are consuming a vulnerable package, but also, and more importantly, whether or not the way that the application consumes it makes an attack or vulnerability possible.
Cloud-native security is currently underutilized and not fully understood within the security community, but 2021 will see a push toward prioritizing locking down cloud environments, according to the report’s co-author and Checkmarx director of security research, Erez Yalon.
“If 2020 was the year of the API, 2021 will be the year where cloud-native security steals the spotlight,” Yalon wrote in the report. “APIs play a major role in cloud-native security, but the focus will turn to how cloud-based technologies continue to proliferate and increase in adoption across organizations. Securing the resulting ecosystems of interconnected cloud-based solutions will become a priority.”
Which brings Yalon to his next ominous prediction, that those unsecured API’s will be the easiest place for attackers to breach systems.
“As malicious actors continue to ramp up their API-targeted attacks and organizations play catch-up in their understanding of how these programs can be exploited, adversaries will capitalize on this gap in the near-term, forcing developers to quickly identify ways to better secure API authentication and authorization processes,” he said.
Legacy Devices Vulnerable
Yalon added that old IoT devices, which are often forgotten about while quietly operating in the background, will continue to be juicy targets for threat actors in 2021.
“As these gadgets grow older but remain in use, many manufacturers have stopped supporting them with software updates and patches as they prioritize newer models, making older models prime targets for malicious actors looking for easy access points,” Yalon wrote. “As time moves on, vulnerabilities in these now outdated products will be discovered and exploited.”
Dovetailing with this, industrial, factory and medical gear were reported by Artemis to have been left largely unpatched to protect against URGENT/11 and CDPwn groups of malware, despite fixes being delivered. The researchers looked and found 97 percent of the OT devices impacted by URGENT/11 weren’t patched, for instance.
Slow Progress on IoT Security
The passage of the recent IoT Cybersecurity Improvement Act in the U.S. last month was step in the right direction, according to Yalon, but there is still much work to do.
The bipartisan legislation requires federal devices to meet a minimum standard security requirement. But Yalon added that no real progress can be made without intense pressure from consumers.
“Until consumers put real pressure on governments and manufacturers for improved security for IoT devices, or manufacturers take place a great emphasis for IoT security, this will be a continuing cause for concern,” he said.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!