Cybersecurity mayhem is looming in the new year: Contrast Security’s SVP of Cyber Strategy Tom Kellermann is predicting more Denonia-like serverless malware and that Twitter will be turned into a cyberattack launching pad, among other 2023 doom-and-gloom predictions.
But when it comes to Application Security (AppSec) in particular, we’ve got more sparkly predictions — maybe even worthy of cork-popping — courtesy of Contrast Co-Founder and CTO Jeff Williams. He foresees a new era of application transparency, a move to shift-smart in application development that’s more nuanced than shift-left or shift-right, and more organizations finally folding application programming interface (API) security into their AppSec practices.
Read on for that and other predictions — including those both gloomy and cheery — from Jeff Williams.
1. Radical new transparency will change app/API security forever
The time for hiding your dirty security laundry is over. In 2022, the government mandated a future of full disclosure for the software industry, in the form of the Software Bills of Materials (SBOMs) and software security practices self-attestation letters outlined in the M-22-18 memo (PDF) from the Office of Management and Budget (OMB).
Not all software producers will be up for the challenge, as Contrast CISO David Lindner has suggested. Regardless, anybody building software in the new year must let the sun shine in on their security practices, Williams says:
“After attacks like SolarWinds and Log4Shell, moving into 2023, the software industry will realize that cybersecurity incidents start in the software development process and supply chain,” Williams says. “By the end of 2023, we know that virtually all companies building software will have to publicly attest to their software security practices and create SBOMs under the Cybersecurity Executive Order and OMB regulations [PDF]. That means that during 2023, anyone building software will have to ensure that all the details of their app/API security program are ready to be released in public. This includes security testing results, open-source security, runtime protection details and much more.”
Prepare yourselves, software producers: “Government mandated, full disclosure will change app/API security forever,” he predicts.
2. Organizations will “shift smart” in 2023
You’ve heard about shift left, the movement to shift testing earlier in the Software Development Life Cycle (SDLC) of analysis, design, coding, testing and deployment, instead of just at the end, when testing is more costly and causes delays? And then too, we’ve had shift right, wherein runtime protection automates the process of adding security defenses into the code of applications and APIs. These injected defenses can identify attacks, create visibility and prevent exploits without having to rely on developers to write perfect code.
Well, forget shift right, shift-left. It’s time to stop blindly shouldering security one way or the other, Williams says. “Shifting left doesn’t cut it anymore,” he declares. Instead, we need to change to a “shift-smart” mentality.
“In 2023, more organizations will realize that they need to stop naively shifting everything left without considering where security can be done most accurately and cost-efficiently,” Williams decrees. “Shifting smart takes advantage of additional context available as software goes through a development pipeline. Some issues can be dealt with early without requiring much context, but many require additional context and should be dealt with later in the life cycle.”
3. AppSec is expanding to include APIs
API security has always been part of AppSec, and the server-side of almost all modern applications consists of APIs, Williams says.
But how much respect has it gotten? “In many organizations, APIs have been a second-class participant in security inventory, security testing, library security and protection programs,” he notes.
New year, new respect for API security? Williams thinks so. “AppSec will expand to include API security,” he predicts. “In response to recent significant API vulnerabilities and breaches, in 2023, we will see organizations fully include APIs in their AppSec practices.
“Organizations will move beyond legacy scan and firewall approaches and move to inside-out solutions that can understand the full context of API code. Organizations will also expand their open-source security programs and runtime protection initiatives to specifically include APIs.”
To learn more about API security, take a listen to this discussion between Williams and Melinda Marks, a Senior Analyst at ESG Research, where they unravel:
- What the future of API security holds for enterprises.
- What you need to know to secure your APIs.
- Strategies to stay ahead of the Continuous Integration/Continuous Deployment (CI/CD) lifecycle game.
- The path forward to building unified developer and security teams that can build secure APIs.
4. The definition of identity will evolve
The role of identity in app/API security is changing as people are finally starting to recognize that “identity” is not simply a username and password, Williams says. “Organizations should have a flexible definition of identity, with various tiers of confidence. Identity isn’t limited to possession of credentials -- it can include notions of location, behavior, technology, and time.
For example, we might believe someone’s identity because they recently logged in from a phone associated with that account, doing an activity they have done many times before, and from a place they are typically located, he explains. “If we see a request with the same credentials from a vastly different location, unknown web browser, doing something they’ve never done before, we should be very skeptical of that ‘identity.’ It’s critical for apps/APIs to keep up with changing models of authentication and identity.”
5. Fully automated security in 50% of pipelines
Williams forecasts that by the end of 2023, 50% of all companies that build software will have established a policy that defines exactly what automated security tests must be performed (and passed) in order to be able to deploy software into production.
“Teams that add these automated security tests to their automated pipeline will be able to deploy new features at whatever velocity they want to go, without compromising security,” he suggests. “These policies enable developers to quickly get a full security analysis during production without requiring that humans be in the loop.”
Criteria for production deployment can include “clean” results for novel vulnerabilities in application workloads, including all the custom code, libraries, frameworks, appserver, and runtime platform. They can also include “clean” results for known vulnerabilities in open-source libraries, over 80% route coverage for testing, and having runtime protection in place.
6. Runtime protection will become standard
The complexity of modern applications and APIs has made legacy protections like web application firewalls dramatically less effective than ever, Williams declares. According to Forrester, 80% of companies across all sectors are either deploying or planning to deploy runtime protection in 2023.
“In 2023, we will see runtime protection become a standard part of every web app/API stack.” he says. “As a better, fully automated way to remediate vulnerabilities in both custom code and open-source libraries, runtime protection will enable development teams to move faster, deliver safer code, minimize zero-day firedrills and create visibility into who is attacking, what attack vectors they use and which apps/APIs they are targeting.
7. Expect more zero days, waves of attack
Bad actors will continue their attacks on apps and APIs, open-source libraries and software development infrastructure — an unwelcome outcome of the sparse attention given to open-source libraries, Williams explains. “There are only a handful of security researchers focused on analyzing open-source libraries for novel vulnerabilities, so we’re likely to see at least two or three significant zero-day disclosures and inevitable waves of attacks,” Williams says. “Attackers will leverage these vulnerabilities not only to steal data, but also to install malware, run ransomware and mine cryptocurrency.”
Contrast’s Senior Vice President of Cyber Strategy Tom Kellermann agrees with Williams, and he doesn’t shy away from naming a figure: He’s thinking that we’ll see eight new serious open-source software (OSS) zero days released in the coming year. As it is, there were more than three released in 2022, and he’s predicting that the curve will go up. Take at least three zero days as a baseline and add what Kellermann thinks will be about five major OSS zero days.
“We’re seeing more zero days because the same intelligence is being used by protectors and attackers,” Kellermann says, referring to what he describes as a Pax Mafiosa between nation states Iran, North Korea, China and Russia. Those nation states’ intelligence agencies, hacker communities and cybercrime cartels all share information with each other. This nexus is where the cyber criminals act as cyber militias, creating the R&D behind zero days such as the next Denonia or behind devastating island-hopping attacks such as SolarWinds or Kaseya.
That’s why Contrast protects against zero-days, Kellermann stresses, pointing out that Contrast Protect stops entire classes of attacks. It’s crucial to have that level of protection because cybersecurity is an arms race. We have no choice: We all need to continue to develop and modernize because that’s exactly what adversaries are doing.