Five top trends shaping software security in 2022
In this exclusive guest article, John Smith, EMEA Chief Technology Officer at Veracode, explores the five top trends shaping software security in 2022.
The significant disruption we have faced over the last 20 months has forced businesses in all industries to scale up their digital transformation efforts and make online operations easier for both employees and customers. Businesses have had to develop new applications and software at pace to enable remote work to continue. In fact, developers have really felt the pain here with 83% of people working reporting burnout.
Plus, the digital attack surface is growing at a record speed, leaving businesses more exposed to the risk of a cyber attack. In this context, there are a number of key trends of which business leaders should be aware of.
1. Ubiquitous connectivity
The world is more interconnected than ever and IoT devices are an ever more prevalent part of our lives. From searching the Internet via our refrigerators to turning on our televisions with a simple voice command, there is no doubt that these devices and cloud-connected software can increase convenience. But what about cyber risk? According to the Verizon 2021 Data Breach Investigations Report (DBIR), web applications were the source of over 39% of breaches – double the amount seen in 2019.
2. The hyper-automation of software delivery
Speed of deployment will continue to be a major factor over the next several years, bringing a ‘hypercompetitiveness’ to businesses. In fact, recent research from Citrix found many firms anticipate a period of post-pandemic ‘hyperinnovation’.
Businesses will need to automate as many processes as possible to become more efficient and retain talent. Eventually, DevOps and pipeline automation will not just be goals; they’ll be expectations. And everything that can be code will be code; security as code, compliance as code, and infrastructure as code.
While many organisations are already embracing DevSecOps, we see an opportunity for security to shift even further left into the design phase to become ‘SecDevOps’. Security teams will be less operational, taking on more of an auditing role, while developers will oversee application security testing, automating scans into their existing workflows.
Over the next few years, we can also expect to see developers turning to AI and machine learning for tasks like vulnerability identification, threat modelling, and flaw remediation.
3. Abstraction and componentisation
To speed up software deployment, developers are increasingly breaking down applications into the smallest possible components, reusable blocks of logic — known as microservices — so they can be used in more ways. Application Programming Interfaces (APIs) are becoming more critical than ever as the means to integrate these microservices.
However, without the right security, APIs are a prime target for cybercriminals. A recent report from Akamai highlights numerous vulnerabilities, such as broken authentication, injection flaws, and misconfigurations. APIs leave businesses more exposed to cyberattacks and the threat is growing. In fact, according to Gartner, API abuses will be the most frequent attack vector in 2022.
4. Evolution of open-source libraries
It’s no surprise that open-source libraries also speed up development. In fact, our State of Software Security report found that 97% of a typical Java application is made up of open-source libraries. However, major cybersecurity incidents such as SolarWinds and Kaseya were the result of vulnerable open-source code. They are a stark reminder to re-examine every component of software development and deployment.
Since open-source libraries continue to evolve over time, failing to review and update the third-party code used in software is a significant cause for concern. And this happens with alarming frequency; 79% of the time developers do not update third-party libraries after first including them in software, according to our State of Software Security: Open-Source Edition. Moreover, almost one-third of applications now have more security flaws in their third-party code than in their first-party code.
Developers need to prioritise third-party library updates and regular code scanning to reduce the level of risk.
5. New cybersecurity policies
To reduce systemic risk in the software supply chain, we expect to see a greater emphasis on governance and policy around cybersecurity. In the U.S., the White House has already released an Executive Order that outlines security requirements for any organisation supplying software to the federal government. It is likely that these regulations will also make their way into the public sector since much of the software sold to the government is also sold to enterprises. Similarly, in the UK, the new National Cyber Strategy 2022 demonstrates the government’s commitment to ensuring cybersecurity tools and practices are embedded into software development and maintenance.
Business leaders, not just in technology, should take these trends seriously. But with several trends to consider, what should businesses focus on first?
- Undertake an assessment of the attack surface, especially when it comes to modern software development practices, such as cloud and microservices architectures.
- Ensure regular open-source code scanning is made routine.
- Leverage a comprehensive, unified platform with multiple AppSec testing types to aid compliance efforts and ensure security is integrated into the software development lifecycle.
It’s important to understand the growing cyber risks out there and, therefore, why future-proofing their software needs to be a priority for 2022.